We learnt in #280 that Porta is storing OIDC apps' client_secrets as app_key's, and that has caused confusion as to how to deal with OIDC in the 3scale Istio Adapter, as specifying the client_secret as an app_key while using the auth*.xml endpoints ends up in successfully authorizing requests.
This issue should be resolved when we know why this is being done and whether we should remove/not allow these keys to be stored for such apps, and consequently, whether a request for an OIDC service specifying an app_key parameter should be checked against the registered app_keys that we have in our data store.
We learnt in #280 that Porta is storing OIDC apps' client_secrets as
app_key
's, and that has caused confusion as to how to deal with OIDC in the 3scale Istio Adapter, as specifying the client_secret as anapp_key
while using theauth*.xml
endpoints ends up in successfully authorizing requests.This issue should be resolved when we know why this is being done and whether we should remove/not allow these keys to be stored for such apps, and consequently, whether a request for an OIDC service specifying an
app_key
parameter should be checked against the registeredapp_key
s that we have in our data store./cc @davidor