verify in pub key

apache · Feb 28, 2025 · 580a515 · 580a515
1 parent adf5af6
commit 580a515
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 17 deletions.
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -383,9 +383,15 @@ local function introspect(ctx, conf)
             return nil, nil, nil, nil
         end
     end
-    local opts = {}
-    -- If we get here, token was found in request.
-    if conf.use_jwks then
+
+    if conf.public_key or conf.use_jwks then
+        local opts = {}
+        -- Validate token against public key or jwks document of the oidc provider.
+        -- TODO: In the called method, the openidc module will try to extract
+        --  the token by itself again -- from a request header or session cookie.
+        --  It is inefficient that we also need to extract it (just from headers)
+        --  so we can add it in the configured header. Find a way to use openidc
+        --  module's internal methods to extract the token.
         local valid_issuers
         if conf.valid_issuers then
             valid_issuers = conf.valid_issuers
@@ -402,14 +408,6 @@ local function introspect(ctx, conf)
         if valid_issuers then
             opts.valid_issuers = valid_issuers
         end
-    end
-    if conf.public_key or conf.use_jwks then
-        -- Validate token against public key or jwks document of the oidc provider.
-        -- TODO: In the called method, the openidc module will try to extract
-        --  the token by itself again -- from a request header or session cookie.
-        --  It is inefficient that we also need to extract it (just from headers)
-        --  so we can add it in the configured header. Find a way to use openidc
-        --  module's internal methods to extract the token.
         local res, err = openidc.bearer_jwt_verify(conf, opts)
         if err then
             -- Error while validating or token invalid.

diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t
@@ -159,7 +159,6 @@ hello world
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,
@@ -312,7 +311,6 @@ qr/ailed to verify jwt: 'exp' claim expired at/
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,

diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
@@ -464,7 +464,6 @@ OIDC introspection failed: Invalid Authorization header format.
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,
@@ -538,7 +537,6 @@ true
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,
@@ -604,7 +602,6 @@ x-userinfo: ey.*
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,
@@ -672,7 +669,6 @@ x-real-ip: 127.0.0.1
                             "openid-connect": {
                                 "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
                                 "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
-                                "discovery": "https://samples.auth0.com/.well-known/openid-configuration",
                                 "redirect_uri": "https://iresty.com",
                                 "ssl_verify": false,
                                 "timeout": 10,