luarx opened a new pull request, #13616:
URL: https://github.com/apache/apisix/pull/13616

   ### Description
     
     Add a new boolean plugin option `set_enc_id_token_header` (default: 
`false`) that, when
     enabled, forwards the raw RS256-signed ID token JWT to upstream via the 
`X-Enc-ID-Token`
     request header.
   
     Unlike the existing `X-ID-Token` header (which contains 
`base64(JSON(decoded_claims))` with
     no cryptographic signature), `X-Enc-ID-Token` carries the original signed 
token verifiable
     against the identity provider's JWKS endpoint.
   
     Implementation details:
     - The header is cleared at rewrite entry to prevent client injection.
     ensures `enc_id_token` is included so the raw JWT is persisted in the 
session by
     lua-resty-openidc. When `session_contents` is nil (the default), 
lua-resty-openidc stores all
     session data including `enc_id_token`, so no action is needed.
     - Only available in the full OIDC session flow (not in the 
bearer/introspection path, where
     no session exists).
   
     #### Which issue(s) this PR fixes:
     
     Fixes #13615
   
     ### Checklist
   
     - [x] I have explained the need for this PR and the problem it solves
     - [x] I have explained the changes or the new features added to this PR
     - [x] I have added tests corresponding to this change
     - [x] I have updated the documentation to reflect this change
     - [x] I have verified that this change is backward compatible (If not, 
please discuss on the
     [APISIX mailing 
list](https://github.com/apache/apisix/tree/master#community) first)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to