diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 3f45a5b1571a..957aba1b13db 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -383,9 +383,15 @@ local function introspect(ctx, conf) return nil, nil, nil, nil end end - local opts = {} - -- If we get here, token was found in request. - if conf.use_jwks then + + if conf.public_key or conf.use_jwks then + local opts = {} + -- Validate token against public key or jwks document of the oidc provider. + -- TODO: In the called method, the openidc module will try to extract + -- the token by itself again -- from a request header or session cookie. + -- It is inefficient that we also need to extract it (just from headers) + -- so we can add it in the configured header. Find a way to use openidc + -- module's internal methods to extract the token. local valid_issuers if conf.valid_issuers then valid_issuers = conf.valid_issuers @@ -402,14 +408,6 @@ local function introspect(ctx, conf) if valid_issuers then opts.valid_issuers = valid_issuers end - end - if conf.public_key or conf.use_jwks then - -- Validate token against public key or jwks document of the oidc provider. - -- TODO: In the called method, the openidc module will try to extract - -- the token by itself again -- from a request header or session cookie. - -- It is inefficient that we also need to extract it (just from headers) - -- so we can add it in the configured header. Find a way to use openidc - -- module's internal methods to extract the token. local res, err = openidc.bearer_jwt_verify(conf, opts) if err then -- Error while validating or token invalid. diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index 965771197271..aa4bd3085aa6 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -159,7 +159,6 @@ hello world "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10, @@ -312,7 +311,6 @@ qr/ailed to verify jwt: 'exp' claim expired at/ "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10, diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 427e439ad628..76dd5a50ed5c 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -464,7 +464,6 @@ OIDC introspection failed: Invalid Authorization header format. "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10, @@ -538,7 +537,6 @@ true "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10, @@ -604,7 +602,6 @@ x-userinfo: ey.* "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10, @@ -672,7 +669,6 @@ x-real-ip: 127.0.0.1 "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "https://samples.auth0.com/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, "timeout": 10,