haowang-pony opened a new issue #5311: URL: https://github.com/apache/apisix/issues/5311
### Issue description I want to implement such workflow  However I met two problems: 1. The `openid-connect` plugin only read `access_token` when verify the jwt token.https://github.com/apache/apisix/blob/fa8a34f72d4de45a42390d17ca27aa9f808deb83/apisix/plugins/openid-connect.lua#L161 2. the `openid-connect` plugin only support introspection_endpoint, could we add cert endpoint in config which used to get public key from keycloak and such that we could verify the token after receive public key from keycloak. Because I don't want define public_key in ApisixRoute. It's ugly and it would have problem if keycloak public key was changed. ** why I don't use authz-keycloak plugin: authz-keycloak must need jwt token when request apisix, therefore i don't use that plugin.** For first problems, maybe we could just add `get_bearer_id_token()` in [introspect](https://github.com/apache/apisix/blob/fa8a34f72d4de45a42390d17ca27aa9f808deb83/apisix/plugins/openid-connect.lua#L159) function when there is no access token. If it makes sense, I could help to do that. For second problems, I'm not sure whether it's allowed to add cert endpoint in `openid-connect` config. If it's not allowed, I hope `authz-keycloak` could support this workflow. It's copy the main workflow of `openid-connect` plugin  ### Environment - apisix version (cmd: `apisix version`): - OS (cmd: `uname -a`): - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): - etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API): - apisix-dashboard version, if have: - the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner): - luarocks version, if the issue is about installation (cmd: `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
