Baoyuantop commented on issue #11015:
URL: https://github.com/apache/apisix/issues/11015#issuecomment-2994693291
The current openid-connect plugin is designed to be incompatible with
consumer-based authentication.
The openid-connect plugin performs authentication based on an external
identity provider and does not rely on the consumer mechanism within APISIX.
After OIDC authentication is successful, no APISIX consumer will be created or
associated
If you want to use OIDC for authentication and implement user-based access
control, you should:
1. Use the openid-connect plugin only at the route level, not in the
consumer.
2. Use OIDC's built-in access control mechanisms, such as:
- required_scopes parameter for permission control
- Authorization based on JWT claims
- Use a custom plugin to parse user information in the OIDC response
Suppose you need to use both OIDC and consumer mechanisms. In that case, you
can consider developing a custom plugin to create a temporary consumer based on
user information after OIDC authentication succeeds.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
