You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "quantranhong1999 (via GitHub)" <gi...@apache.org> on 2023/04/03 09:55:08 UTC

[GitHub] [apisix] quantranhong1999 opened a new issue, #9227: help request: Revoking token when sign out using openid-connect plugin

quantranhong1999 opened a new issue, #9227:
URL: https://github.com/apache/apisix/issues/9227

   ### Description
   
   Hi APISIX community,
   I am new to Apache APISIX and studying it, especially the log-out case with an OIDC provider and the `openid-connect` plugin.
   
   I can see that the `openid-connect` plugin does caching for token introspection results. However, I do not see any configuration or docs mentioning revoking the cached token (especially helpful for the logout case).
   
   Looking at the [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) which our `openid-connect` plugin is based on, I can see it supports revoke token as well as a configuration for it called `revoke_tokens_on_logout`. However, again, I do not see it explicitly declared in our `openid-connect` plugin.
   
   So, does revoking token on logout work out of the box with our `openid-connect` plugin? 
   Do we need to add the configuration to [plugin code schema](https://github.com/apache/apisix/blob/master/apisix/plugins/openid-connect.lua#L30) to make it work? If yes, please guide me on contributing this :-)
   
   Cheers.
   
   
   ### Environment
   
   Not especially, studying the latest Apache APISIX 3.2.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: Revoking token when sign out using openid-connect plugin [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 closed issue #9227: help request: Revoking token when sign out using openid-connect plugin
URL: https://github.com/apache/apisix/issues/9227


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: Revoking token when sign out using openid-connect plugin [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9227:
URL: https://github.com/apache/apisix/issues/9227#issuecomment-1857699868

   I believe so. These configuration options previously work with the APISIX OIDC plugin as well, just undocumented. If you configure `revoke_tokens_on_logout`, it's just passed down to `lua-resty-oidc` in `opts`. So I expect the same behaviour.
   
   If you encounter an unexpected behaviour, please open a separate issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: Revoking token when sign out using openid-connect plugin [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9227:
URL: https://github.com/apache/apisix/issues/9227#issuecomment-1857656135

   Hi there, the option is expected to work. I've added it in a recent PR. You should see it in the docs now: https://apisix.apache.org/docs/apisix/next/plugins/openid-connect


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: Revoking token when sign out using openid-connect plugin [apisix]

Posted by "quantranhong1999 (via GitHub)" <gi...@apache.org>.
quantranhong1999 commented on issue #9227:
URL: https://github.com/apache/apisix/issues/9227#issuecomment-1857689796

   > Hi there, the option is expected to work. I've added it in a recent PR. You should see it in the docs now:
   
   Hi there. Thank a lot! 
   
   Does that mean with `revoke_tokens_on_logout=true`, upon logout the `openid-connect` plugin within APISIX will invalidate its cached token introspection results as well?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org