jenskeiner opened a new pull request #3263: URL: https://github.com/apache/apisix/pull/3263
### What this PR does / why we need it: The `authz-keycloak` plugin needs to know the Keycloak token endpoint to use. A configuration option to point to the token endpoint is already there. Additionally, Keycloak supports discovery of Authorization Services-related endpoints, like the token endpoint, through a discovery document served under a well-known path relative to the realm, e.g. `https://keycloak-host/auth/realms/foo/.well-known/uma2-configuration`. It can be convenient to use the discovery document to get the token endpoint URL, instead of specifying the token endpoint explicitly, since the URL is typically shorter. More importantly, future build out of the `authz-keycloak` may require access to additional related endpoints. In this case, just providing the single path to the discovery document would be more convenient than specifying each endpoint URL explicitly. This PR adds an attribute that allows to specify the discovery document URL and makes the token endpoint attribute optional. However, it is checked that at least one, discovery or token endpoint, is given. The plugin now fetches the discovery document lazily and caches it in shared storage already used by the `openid-connect` plugin (better: the `openidc` module used therein) for similar purposes in the context of OIDC endpoint discovery. If both, discovery and token endpoint are given, the plugin prefers the explicit token endpoint value over the one from discovery. ### Pre-submission checklist: * [x] Did you explain what problem does this PR solve? Or what new features have been added? * [x] Have you added corresponding test cases? * [x] Have you modified the corresponding document? * [x] Is this PR backward compatible? **If it is not backward compatible, please discuss on the [mailing list](https://github.com/apache/apisix/tree/master#community) first** ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
