apache · spacewander · Jul 6, 2022 · Jul 2, 2022 · Jul 2, 2022 · Jul 2, 2022
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -73,6 +73,11 @@ local schema = {
         },
         public_key = {type = "string"},
         token_signing_alg_values_expected = {type = "string"},
+        use_pkce = {
+            description = "when set to true the PKEC(Proof Key for Code Exchange) will be used.",
+            type = "boolean",
+            default = false
+        },
         set_access_token_header = {
             description = "Whether the access token should be added as a header to the request " ..
                 "for downstream",

diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md
@@ -51,6 +51,7 @@ The `openid-connect` Plugin provides authentication and introspection capability
 | public_key                           | string  | False    |                       |              | Public key to verify the token.                                                                                    |
 | use_jwks                             | boolean | False    |                       |              | When set to true, uses the JWKS endpoint of the identity server to verify the token.                               |
 | token_signing_alg_values_expected    | string  | False    |                       |              | Algorithm used for signing the authentication token.                                                               |
+| use_pkce                             | boolean | False    |                       |              | when set to true the "Proof Key for Code Exchange" as defined in RFC 7636 will be used.   |
 | set_access_token_header              | boolean | False    | true                  |              | When set to true, sets the access token in a request header.                                                       |
 | access_token_in_authorization_header | boolean | False    | false                 |              | When set to true, sets the access token in the `Authorization` header. Otherwise, set the `X-Access-Token` header. |
 | set_id_token_header                  | boolean | False    | true                  |              | When set to true and the ID token is available, sets the ID token in the `X-ID-Token` request header.              |

diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md
@@ -50,6 +50,7 @@ description: 本文介绍了关于 Apache APISIX `openid-connect` 插件的基
 | introspection_endpoint_auth_method   | string  | 否     | "client_secret_basic" |               | 令牌自省的认证方法名称。                                                                           |
 | public_key                           | string  | 否     |                       |               | 验证令牌的公钥。                                                                                  |
 | token_signing_alg_values_expected    | string  | 否     |                       |               | 用于对令牌进行签名的算法。                                                                         |
+| use_pkce                             | boolean | 否     |                       |               | 是否使用 PKEC（Proof Key for Code Exchange）。                                                                           |
 | set_access_token_header              | boolean | 否     | true                  | [true, false] | 在请求头设置访问令牌。                                                                            |
 | access_token_in_authorization_header | boolean | 否     | false                 | [true, false] | 当值为 `true` 时，将访问令牌设置在请求头参数 `Authorization`，否则将使用请求头参数 `X-Access-Token`。|
 | set_id_token_header                  | boolean | 否     | true                  | [true, false] | 是否将 ID 令牌设置到请求头参数 `X-ID-Token`。                                                      |

diff --git a/rockspec/apisix-master-0.rockspec b/rockspec/apisix-master-0.rockspec
@@ -47,7 +47,7 @@ dependencies = {
     "opentracing-openresty = 0.1",
     "lua-resty-radixtree = 2.8.2",
     "lua-protobuf = 0.3.4",
-    "lua-resty-openidc = 1.7.2-1",
+    "lua-resty-openidc = 1.7.5",
     "luafilesystem = 1.7.0-2",
     "api7-lua-tinyyaml = 0.4.2",
     "nginx-lua-prometheus = 0.20220527",

diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
@@ -109,7 +109,8 @@ done
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,
-                                "scope": "apisix"
+                                "scope": "apisix",
+                                "use_pkce": false
                             }
                         },
                         "upstream": {
@@ -918,7 +919,7 @@ OIDC introspection failed: invalid token
 --- request
 GET /t
 --- response_body
-{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3}
+{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"use_pkce":false}
 --- no_error_log
 [error]