spacewander
commented
2 years ago PR is welcome! For the second problem, we can try to add cert endpoint for it.
Open haowang-pony opened 2 years ago
spacewander
commented
2 years ago PR is welcome! For the second problem, we can try to add cert endpoint for it.
spacewander
commented
2 years ago BTW, please submit a separate PR for each problem.
Issue description
I want to implement such workflow
However I met two problems:
openid-connectplugin only readaccess_tokenwhen verify the jwt token.https://github.com/apache/apisix/blob/fa8a34f72d4de45a42390d17ca27aa9f808deb83/apisix/plugins/openid-connect.lua#L161openid-connectplugin only support introspection_endpoint, could we add cert endpoint in config which used to get public key from keycloak and such that we could verify the token after receive public key from keycloak. Because I don't want define public_key in ApisixRoute. It's ugly and it would have problem if keycloak public key was changed. why I don't use authz-keycloak plugin: authz-keycloak must need jwt token when request apisix, but I want also want to implement the following workflow, therefore I give up to use authz-keycloak pluginFor first problems, maybe we could just add
get_bearer_id_token()in introspect function when there is no access token. If it makes sense, I could help to do that.For second problems, I'm not sure whether it's allowed to add cert endpoint in
openid-connectconfig. If it's not allowed, I hopeauthz-keycloakcould support this workflow. It should be copy the main logic ofopenid-connectplugin. If this make sense, I could also contribute about this and write an article about how to integrate with keycloak.Environment
apisix version):uname -a):nginx -Voropenresty -V):curl http://127.0.0.1:9090/v1/server_infoto get the info from server-info API):luarocks --version):