diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 759e0c608f48..b8533ba93d19 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -179,6 +179,12 @@ local schema = { type = "boolean", default = true }, + set_id_token_original_header = { + description = "Whether the ID token should be added in the X-ID-Token-Original header to " .. + "the request for downstream.", + type = "boolean", + default = false + }, set_userinfo_header = { description = "Whether the user info token should be added in the X-Userinfo " .. "header to the request for downstream.", @@ -728,6 +734,12 @@ function _M.rewrite(plugin_conf, ctx) core.request.set_header(ctx, "X-ID-Token", ngx.encode_base64(token)) end + -- Add X-ID-Token-Original header, maybe. + if session and session.data and session.data.enc_id_token and conf.set_id_token_original_header then + local token = session.data.enc_id_token + core.request.set_header(ctx, "X-ID-Token-Original", token) + end + -- Add X-Userinfo header, maybe. if response.user and conf.set_userinfo_header then core.request.set_header(ctx, "X-Userinfo", diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 86c3395f0782..3eb6503113a2 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -61,6 +61,7 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC) | set_access_token_header | boolean | False | true | | If true, set the access token in a request header. By default, the `X-Access-Token` header is used. | | access_token_in_authorization_header | boolean | False | false | | If true and if `set_access_token_header` is also true, set the access token in the `Authorization` header. | | set_id_token_header | boolean | False | true | | If true and if the ID token is available, set the value in the `X-ID-Token` request header. | +| set_id_token_original_header | boolean | False | true | | If true and if the ID token is available, set the value in the `X-ID-Token-Original` request header. This header contains the original ID-Token with JWS signature and Headers (in contrast to the `X-ID-Token` header). | | set_userinfo_header | boolean | False | true | | If true and if user info data is available, set the value in the `X-Userinfo` request header. | | set_refresh_token_header | boolean | False | false | | If true and if the refresh token is available, set the value in the `X-Refresh-Token` request header. | | session | object | False | | | Session configuration used when `bearer_only` is `false` and the Plugin uses Authorization Code flow. | diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 54fdc8097e63..2fd93fe30320 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -203,6 +203,7 @@ true "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect", "set_access_token_header": true, "access_token_in_authorization_header": false, + "set_id_token_original_header": true, "set_id_token_header": true, "set_userinfo_header": true, "set_refresh_token_header": true @@ -281,6 +282,7 @@ host: 127.0.0.1:1984 user-agent: .* x-access-token: ey.* x-id-token: ey.* +x-id-token-original: ey.*\..*\..* x-real-ip: 127.0.0.1 x-refresh-token: ey.* x-userinfo: ey.* @@ -917,7 +919,7 @@ OIDC introspection failed: invalid token } } --- response_body -{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","introspection_interval":0,"jwk_expires_in":86400,"jwt_verification_cache_ignore":false,"logout_path":"/logout","realm":"apisix","renew_access_token_on_expiry":true,"revoke_tokens_on_logout":false,"scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"token_endpoint_auth_method":"client_secret_basic","unauth_action":"auth","use_nonce":false,"use_pkce":false} +{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","introspection_interval":0,"jwk_expires_in":86400,"jwt_verification_cache_ignore":false,"logout_path":"/logout","realm":"apisix","renew_access_token_on_expiry":true,"revoke_tokens_on_logout":false,"scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_id_token_original_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"token_endpoint_auth_method":"client_secret_basic","unauth_action":"auth","use_nonce":false,"use_pkce":false}