Baoyuantop commented on issue #13085: URL: https://github.com/apache/apisix/issues/13085#issuecomment-4035849299
The issue appears to be in the upstream lua-resty-openidc library. APISIX passes configuration directly to openidc.introspect() without manipulating credentials. https://github.com/zmartzone/lua-resty-openidc/blob/v1.8.0/lib/resty/openidc.lua#L1789-L1811 The code above adds credentials repeatedly to the request body, causing authentication to fail. Set introspection_endpoint_auth_method to client_secret_post in your APISIX plugin configuration. This avoids the duplicate because call_token_endpoint() doesn't add an Authorization header for client_secret_post, so the body credentials are the only copy — which is correct behavior for that auth method. { "introspection_endpoint_auth_method": "client_secret_post" } Awaiting confirmation from the upstream repository: https://github.com/zmartzone/lua-resty-openidc/issues/556 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
