the openid-connect plugin only support introspection_endpoint, could we add cert endpoint in config which used to get public key from keycloak and such that we could verify the token after receive public key from keycloak. Because I don't want define public_key in ApisixRoute. It's ugly and it would have problem if keycloak public key was changed.
why I don't use authz-keycloak plugin: authz-keycloak must need jwt token when request apisix, but I want also want to implement the following workflow, therefore I give up to use authz-keycloak plugin
For first problems, maybe we could just add get_bearer_id_token() in introspect function when there is no access token. If it makes sense, I could help to do that.
For second problems, I'm not sure whether it's allowed to add cert endpoint in openid-connect config. If it's not allowed, I hope authz-keycloak could support this workflow. It should be copy the main logic of openid-connect plugin. If this make sense, I could also contribute about this and write an article about how to integrate with keycloak.
Environment
apisix version (cmd: apisix version):
OS (cmd: uname -a):
OpenResty / Nginx version (cmd: nginx -V or openresty -V):
etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
apisix-dashboard version, if have:
the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
luarocks version, if the issue is about installation (cmd: luarocks --version):
Issue description
I want to implement such workflow
However I met two problems:
openid-connect
plugin only readaccess_token
when verify the jwt token.https://github.com/apache/apisix/blob/fa8a34f72d4de45a42390d17ca27aa9f808deb83/apisix/plugins/openid-connect.lua#L161openid-connect
plugin only support introspection_endpoint, could we add cert endpoint in config which used to get public key from keycloak and such that we could verify the token after receive public key from keycloak. Because I don't want define public_key in ApisixRoute. It's ugly and it would have problem if keycloak public key was changed. why I don't use authz-keycloak plugin: authz-keycloak must need jwt token when request apisix, but I want also want to implement the following workflow, therefore I give up to use authz-keycloak pluginFor first problems, maybe we could just add
get_bearer_id_token()
in introspect function when there is no access token. If it makes sense, I could help to do that.For second problems, I'm not sure whether it's allowed to add cert endpoint in
openid-connect
config. If it's not allowed, I hopeauthz-keycloak
could support this workflow. It should be copy the main logic ofopenid-connect
plugin. If this make sense, I could also contribute about this and write an article about how to integrate with keycloak.Environment
apisix version
):uname -a
):nginx -V
oropenresty -V
):curl http://127.0.0.1:9090/v1/server_info
to get the info from server-info API):luarocks --version
):