Skip to content

feat(openid-connect): add hide_credentials attribute#13510

Open
mikyll wants to merge 5 commits into
apache:masterfrom
mikyll:issue_13279
Open

feat(openid-connect): add hide_credentials attribute#13510
mikyll wants to merge 5 commits into
apache:masterfrom
mikyll:issue_13279

Conversation

@mikyll

@mikyll mikyll commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Description

This PR adds a hide_credentials attribute to the openid-connect plugin, mirroring the
behavior already available in other authentication plugins (e.g. key-auth, basic-auth,
hmac-auth).

When hide_credentials is set to true, the inbound Authorization header carrying the
bearer token is cleared after token validation, so the raw credential is not forwarded
to the upstream service. By default it is false, preserving the current behavior of
passing the Authorization header through.

Key details:

  • The header is cleared after validation, because lua-resty-openidc re-reads the
    Authorization header while verifying the token.
  • It works independently of set_access_token_header: when both are enabled, the
    original credential is removed and the validated access token is added back as a fresh,
    plugin-controlled header (X-Access-Token by default).
  • The client-supplied X-Access-Token header is always cleared regardless of this option,
    so a client cannot smuggle an arbitrary access token to the upstream.

Changes:

  • apisix/plugins/openid-connect.lua: new hide_credentials boolean schema field
    (default false) and the corresponding header-clearing logic in rewrite.
  • t/plugin/openid-connect-identity-headers.t: new test suite (8 cases) covering identity
    header handling — unauthenticated passthrough, client-supplied headers not reaching the
    upstream, hide_credentials with set_access_token_header enabled/disabled, and the
    validated-token-vs-client-value distinction.
  • docs/en/latest/plugins/openid-connect.md and docs/zh/latest/plugins/openid-connect.md:
    documented the new attribute.

Which issue(s) this PR fixes:

Fixes #13279

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@mikyll mikyll marked this pull request as ready for review June 10, 2026 15:53
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: As a user, I want openid-connect to support hide_credentials, so that the bearer token is not forwarded to upstream services that don't need it

1 participant

@mikyll