Looking at the introspection code in handler.lua, it seems that the code uses the instrospect function in resty.openidc. This function relies on the token introspection endpoint, even when the provider may also support JWKS allowing local validation of tokens (no need to call the token introspection endpoint). It seems this could be achieved by using the bearer_jwt_verify function in resty.openidc, which has a similar API to the introspect function.
Should there be a configuration option on the plugin to allow users to switch to bearer_jwt_verify?
Looking at the introspection code in
handler.lua, it seems that the code uses theinstrospectfunction inresty.openidc. This function relies on the token introspection endpoint, even when the provider may also support JWKS allowing local validation of tokens (no need to call the token introspection endpoint). It seems this could be achieved by using thebearer_jwt_verifyfunction inresty.openidc, which has a similar API to theintrospectfunction.Should there be a configuration option on the plugin to allow users to switch to
bearer_jwt_verify?(This seems to be related to #106)