starsz commented on code in PR #7371:
URL: https://github.com/apache/apisix/pull/7371#discussion_r913087982
##########
docs/en/latest/plugins/openid-connect.md:
##########
@@ -33,29 +33,29 @@ The `openid-connect` Plugin provides authentication and
introspection capability
## Attributes
-| Name | Type | Required | Default
| Valid values | Description
|
-|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------|
-| client_id | string | True |
| | OAuth client ID.
|
-| client_secret | string | True |
| | OAuth client secret.
|
-| discovery | string | True |
| | Discovery endpoint URL of the identity server.
|
-| scope | string | False | "openid"
| | Scope used for authentication.
|
-| realm | string | False | "apisix"
| | Realm used for authentication.
|
-| bearer_only | boolean | False | false
| | When set to true, the Plugin will check for if the
authorization header in the request matches a bearer token. |
-| logout_path | string | False | "/logout"
| | Path for logging out.
|
-| post_logout_redirect_uri | string | False |
| | URL to redirect to after logging out.
|
-| redirect_uri | string | False |
"ngx.var.request_uri" | | URI to which the identity provider
redirects back to.
|
-| timeout | integer | False | 3
| [1,...] | Request timeout time in seconds.
|
-| ssl_verify | boolean | False | false
| | When set to true, verifies the identity provider's SSL
certificates. |
-| introspection_endpoint | string | False |
| | URL of the token verification endpoint of the identity
server. |
-| introspection_endpoint_auth_method | string | False |
"client_secret_basic" | | Authentication method name for token
introspection. |
-| public_key | string | False |
| | Public key to verify the token.
|
-| use_jwks | boolean | False |
| | When set to true, uses the JWKS endpoint of the identity
server to verify the token. |
-| token_signing_alg_values_expected | string | False |
| | Algorithm used for signing the authentication token.
|
-| set_access_token_header | boolean | False | true
| | When set to true, sets the access token in a request
header. |
-| access_token_in_authorization_header | boolean | False | false
| | When set to true, sets the access token in the
`Authorization` header. Otherwise, set the `X-Access-Token` header. |
-| set_id_token_header | boolean | False | true
| | When set to true and the ID token is available, sets the
ID token in the `X-ID-Token` request header. |
-| set_userinfo_header | boolean | False | true
| | When set to true and the UserInfo object is available,
sets it in the `X-Userinfo` request header. |
-| set_refresh_token_header | boolean | False | false
| | When set to true and a refresh token object is
available, sets it in the `X-Refresh-Token` request header. |
+| Name | Type | Required | Default
| Valid values | Description
|
+|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------------|
+| client_id | string | True |
| | OAuth client ID.
|
+| client_secret | string | True |
| | OAuth client secret.
|
+| discovery | string | True |
| | Discovery endpoint URL of the identity server.
|
+| scope | string | False | "openid"
| | Scope used for authentication.
|
+| realm | string | False | "apisix"
| | Realm used for authentication.
|
+| bearer_only | boolean | False | false
| | When set to true, the Plugin will check for if the
authorization header in the request matches a bearer token. |
+| logout_path | string | False | "/logout"
| | Path for logging out.
|
+| post_logout_redirect_uri | string | False |
| | URL to redirect to after logging out.
|
+| redirect_uri | string | False |
"ngx.var.request_uri" | | URI to which the identity provider
redirects back to.
|
+| timeout | integer | False | 3
| [1,...] | Request timeout time in seconds.
|
+| ssl_verify | boolean | False | false
| | When set to true, verifies the identity provider's SSL
certificates. |
+| introspection_endpoint | string | False |
| | URL of the token verification endpoint of the identity
server. |
+| introspection_endpoint_auth_method | string | False |
| | Authentication method name for token introspection, If
not specified, the default will use the first value in well_know. |
Review Comment:
After digging it into.I found that:
1. The default value of `introspection_endpoint_auth_method` is
"client_secret_basic", sorry to @hf400159 .
2. And the `lua-resty-openidc` will use another conf called
"token_endpoint_auth_method".It doesn't introduce in the docs, but it can work
well in "openid-connection" plugin.
The default value of "token_endpoint_auth_method" will fetch the first
supported method specified by the OP.
refer
https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L677
So in conclusion, I think we should keep the original doc, and add the new
filed of "token_endpoint_auth_method" to the docs.
##########
docs/en/latest/plugins/openid-connect.md:
##########
@@ -33,29 +33,29 @@ The `openid-connect` Plugin provides authentication and
introspection capability
## Attributes
-| Name | Type | Required | Default
| Valid values | Description
|
-|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------|
-| client_id | string | True |
| | OAuth client ID.
|
-| client_secret | string | True |
| | OAuth client secret.
|
-| discovery | string | True |
| | Discovery endpoint URL of the identity server.
|
-| scope | string | False | "openid"
| | Scope used for authentication.
|
-| realm | string | False | "apisix"
| | Realm used for authentication.
|
-| bearer_only | boolean | False | false
| | When set to true, the Plugin will check for if the
authorization header in the request matches a bearer token. |
-| logout_path | string | False | "/logout"
| | Path for logging out.
|
-| post_logout_redirect_uri | string | False |
| | URL to redirect to after logging out.
|
-| redirect_uri | string | False |
"ngx.var.request_uri" | | URI to which the identity provider
redirects back to.
|
-| timeout | integer | False | 3
| [1,...] | Request timeout time in seconds.
|
-| ssl_verify | boolean | False | false
| | When set to true, verifies the identity provider's SSL
certificates. |
-| introspection_endpoint | string | False |
| | URL of the token verification endpoint of the identity
server. |
-| introspection_endpoint_auth_method | string | False |
"client_secret_basic" | | Authentication method name for token
introspection. |
-| public_key | string | False |
| | Public key to verify the token.
|
-| use_jwks | boolean | False |
| | When set to true, uses the JWKS endpoint of the identity
server to verify the token. |
-| token_signing_alg_values_expected | string | False |
| | Algorithm used for signing the authentication token.
|
-| set_access_token_header | boolean | False | true
| | When set to true, sets the access token in a request
header. |
-| access_token_in_authorization_header | boolean | False | false
| | When set to true, sets the access token in the
`Authorization` header. Otherwise, set the `X-Access-Token` header. |
-| set_id_token_header | boolean | False | true
| | When set to true and the ID token is available, sets the
ID token in the `X-ID-Token` request header. |
-| set_userinfo_header | boolean | False | true
| | When set to true and the UserInfo object is available,
sets it in the `X-Userinfo` request header. |
-| set_refresh_token_header | boolean | False | false
| | When set to true and a refresh token object is
available, sets it in the `X-Refresh-Token` request header. |
+| Name | Type | Required | Default
| Valid values | Description
|
+|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------------|
+| client_id | string | True |
| | OAuth client ID.
|
+| client_secret | string | True |
| | OAuth client secret.
|
+| discovery | string | True |
| | Discovery endpoint URL of the identity server.
|
+| scope | string | False | "openid"
| | Scope used for authentication.
|
+| realm | string | False | "apisix"
| | Realm used for authentication.
|
+| bearer_only | boolean | False | false
| | When set to true, the Plugin will check for if the
authorization header in the request matches a bearer token. |
+| logout_path | string | False | "/logout"
| | Path for logging out.
|
+| post_logout_redirect_uri | string | False |
| | URL to redirect to after logging out.
|
+| redirect_uri | string | False |
"ngx.var.request_uri" | | URI to which the identity provider
redirects back to.
|
+| timeout | integer | False | 3
| [1,...] | Request timeout time in seconds.
|
+| ssl_verify | boolean | False | false
| | When set to true, verifies the identity provider's SSL
certificates. |
+| introspection_endpoint | string | False |
| | URL of the token verification endpoint of the identity
server. |
+| introspection_endpoint_auth_method | string | False |
| | Authentication method name for token introspection, If
not specified, the default will use the first value in well_know. |
Review Comment:
After digging it into.I found that:
1. The default value of `introspection_endpoint_auth_method` is
"client_secret_basic", sorry to @hf400159 .
2. And the `lua-resty-openidc` will use another conf called
"token_endpoint_auth_method".It doesn't introduce in the docs, but it can work
well in "openid-connection" plugin.
The default value of "token_endpoint_auth_method" will fetch the first
supported method specified by the OP.
refer
https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L677
So in conclusion, I think we should keep the original doc, and add the new
field of "token_endpoint_auth_method" to the docs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
