jenskeiner opened a new issue #2764: URL: https://github.com/apache/apisix/issues/2764
### Issue description When using the OIDC plugin, it looks like request headers with the user name/access token/id_token may not be set correctly in the code path where an incoming request is successfully authenticated against an OIDC server. According to line https://github.com/apache/apisix/blob/4d316bc0681c80435ab1a3fc113c3c6ea3c82831/apisix/plugins/openid-connect.lua#L161 in the code, the `openidc.authenticate` method is called with two expected return values, a response and an error object. The user name and tokens are then extracted from the response object and set as headers on the HTTP request. However, the method that is called actually seems to return four values. If the incoming request had no access token set in a header field or in a cookie, the return value seems to come from https://github.com/zmartzone/lua-resty-openidc/blob/df75c6e26cb7dbc9d78927d989e98be04173f10b/lib/resty/openidc.lua#L1189 where the first two return values are actually `nil`, the third is original request URL, and the fourth is the session object. The session object turns out to actually hold the user name and tokens. Essentially, the current plugin code seems to incorrectly look in `nil` values for the user name and tokens to add them as request headers, where it should actually be checking the returned session object. ### Environment * apisix version (cmd: `apisix version`): 2.0 * OS: Alpine Linux Docker image ### Minimal test code / Steps to reproduce the issue 1. Add the openid-connect plugin to protect any route. 2. In the plugin configuration, specify the fields `client_id`, `client_secret`, `discovery`, `real`, `introspection_endpoint`, and `redirect_uri` accordingly. 3. Verify that the plugin doesn't go through the code path where it would extract the user name and tokens and add corresponding headers; see https://github.com/apache/apisix/blob/4d316bc0681c80435ab1a3fc113c3c6ea3c82831/apisix/plugins/openid-connect.lua. ### What's the actual result? (including assertion message & call stack if applicable) Expected headers don't get add to HTTP request, as explained above. ### What's the expected result? HTTP headers for user name, access_token, and id_token are added to the request. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
