"bearer_only" mode always tries to redirect

[ramirezd42]

I'm trying to use bearer_only=yesto allow this plugin to function as just a means of introspection verifying tokens passing through with my OIDC provider.

My understanding is that with this option enabled, any request handled without a valid Authorization header should get rejected with a 401.

However, no matter what I try, this option seems to be ignored. it always tries to redirect

The kong.yml config for the service I'm testing out is:

...
- name: petstore
    url: http://petstore:8080/api
    plugins:
      - name: oidc
        config:
          client_id: client-1
          client_secret: client-1-secret
          bearer_only: yes
          introspection_endpoint: http://localhost:8000/hydra/oauth2/introspect
          discovery: http://localhost:8000/hydra/.well-known/openid-configuration
    routes:
      - name: petstore
        paths:
          - /petstore
...

I've tried without the discovery config as well, but then it just fails trying to load that.

Any thoughts? Am I missing something obvious somewhere? 🙏

[ramirezd42]

Got it working! This was because

bearer_only: yes

gets parsed as true (as the yaml spec says to do: https://yaml.org/refcard.html), and this plugin checks for the string value of "yes"

[abdsamadbakr]

HI @ramirezd42 ,

I saw you set the introspection endpoint, it's mandatory for you ? to implement a flow "client credentials" without the redirect

My openid configuration doesn't provide this endpoint (Azure AD don't provide one)

Thanks for any help