From 8412e3f3f3326308bec6cdf724deeafc2ade74df Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Fri, 17 Nov 2023 01:00:11 -0800 Subject: [PATCH] fix: update OIDC plugin attribute description and schema (#10502) --- apisix/plugins/openid-connect.lua | 4 ++++ docs/en/latest/plugins/openid-connect.md | 6 +++--- docs/zh/latest/plugins/openid-connect.md | 6 +++--- t/plugin/openid-connect.t | 2 +- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 0bd39f20d2cb..5c9fffc89841 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -54,6 +54,10 @@ local schema = { type = "string", default = "client_secret_basic" }, + token_endpoint_auth_method = { + type = "string", + default = "client_secret_basic" + }, bearer_only = { type = "boolean", default = false, diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 486001a933f0..1121250a722c 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -46,9 +46,9 @@ description: OpenID Connect allows the client to obtain user information from th | redirect_uri | string | False | "ngx.var.request_uri" | | URI to which the identity provider redirects back to. | | timeout | integer | False | 3 | [1,...] | Request timeout time in seconds. | | ssl_verify | boolean | False | false | | When set to true, verifies the identity provider's SSL certificates. | -| introspection_endpoint | string | False | | | URL of the token verification endpoint of the identity server. | -| introspection_endpoint_auth_method | string | False | "client_secret_basic" | | Authentication method name for token introspection. | -| token_endpoint_auth_method | string | False | | | Authentication method name for token endpoint. The default will get the first supported method specified by the OP. | +| introspection_endpoint | string | False | | | URL of the token introspection endpoint for the identity provider used to introspect access tokens. If this is unset, the introspection endpoint presented in the well-known discovery document is used [as a fallback](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c). | +| introspection_endpoint_auth_method | string | False | "client_secret_basic" | | Authentication method for the token introspection endpoint. The value should be one of the authentication methods specified in the `introspection_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, or `client_secret_jwt`. | +| token_endpoint_auth_method | string | False | | | Authentication method for the token endpoint. The value should be one of the authentication methods specified in the `token_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, or `client_secret_jwt`. If the configured method is not supported, fall back to the first method in the `token_endpoint_auth_methods_supported` array. | | public_key | string | False | | | Public key to verify the token. | | use_jwks | boolean | False | false | | When set to `true`, uses the JWKS endpoint of the identity server to verify the token. | | use_pkce | boolean | False | false | | when set to `true`, the "Proof Key for Code Exchange" as defined in RFC 7636 will be used. | diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index 3fbe9fc0d735..2dae43d7def1 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -46,9 +46,9 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | redirect_uri | string | 否 | "ngx.var.request_uri" | | 身份提供者重定向返回的 URI。 | | timeout | integer | 否 | 3 | [1,...] | 请求超时时间,单位为秒 | | ssl_verify | boolean | 否 | false | [true, false] | 当设置为 `true` 时,验证身份提供者的 SSL 证书。 | -| introspection_endpoint | string | 否 | | | 身份服务器的令牌认证端点。 | -| introspection_endpoint_auth_method | string | 否 | "client_secret_basic" | | 令牌内省的认证方法名称。 | -| token_endpoint_auth_method | string | 否 | | | 令牌端点的身份验证方法名称。默认情况将获取 OP 指定的第一个支持的方法。 | +| introspection_endpoint | string | 否 | | | 用于内省访问令牌的身份提供者的令牌内省端点的 URL。如果未设置,则使用发现文档中提供的内省端点[作为后备](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c)。 | +| introspection_endpoint_auth_method | string | 否 | "client_secret_basic" | | 令牌内省端点的身份验证方法。该值应是“introspection_endpoint_auth_methods_supported”[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html)中指定的身份验证方法之一,如发现文档中所示,例如 `client_secret_basic`, `client_secret_post`, `private_key_jwt`,或 `client_secret_jwt`。 | +| token_endpoint_auth_method | string | 否 | | | 令牌端点的身份验证方法。该值应是“token_endpoint_auth_methods_supported”[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html)中指定的身份验证方法之一,如发现文档中所示,例如 `client_secret_basic`, `client_secret_post`, `private_key_jwt`,或 `client_secret_jwt`。如果不支持配置的方法,则回退到`token_endpoint_auth_methods_supported` 数组中的第一个方法。 | | public_key | string | 否 | | | 验证令牌的公钥。 | | use_jwks | boolean | 否 | false | | 当设置为 `true` 时,则会使用身份认证服务器的 JWKS 端点来验证令牌。 | | use_pkce | boolean | 否 | false | [true, false] | 当设置为 `true` 时,则使用 PKEC(Proof Key for Code Exchange)。 | diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 515319248c9b..d78d3806706b 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -876,7 +876,7 @@ OIDC introspection failed: invalid token } } --- response_body -{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"unauth_action":"auth","use_pkce":false} +{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"token_endpoint_auth_method":"client_secret_basic","unauth_action":"auth","use_pkce":false}