Skip to content

change(openid-connect): when bearer_only is false, require the user to fill in session.secret #12609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 12, 2025
Merged

change(openid-connect): when bearer_only is false, require the user to fill in session.secret #12609

merged 7 commits into from
Sep 12, 2025

Conversation

@SkyeYoung
Copy link
Member

@SkyeYoung SkyeYoung commented Sep 11, 2025
edited
Loading

Description

This PR is a part of #12603 and is separated out due to breaking changes.

Currently, the openid-connect plugin generates a random value for
conf.session.secret in the check_schema function when both
conditions: "conf.bearer_only is false" and "conf.session does not
exist" are met.

Modifying the user-provided configuration can easily lead to user
confusion, which is clearly not best practice.

This also affects the diff logic in the adc that the apisix ingress
controller depends on.

I believe this generation behavior should be removed. To solve this problem, This PR removed the corresponding code and
instead return an error message, requiring users to fill in the
corresponding configuration themselves.

Which issue(s) this PR fixes:

Fixes #

Checklist

@SkyeYoung SkyeYoung marked this pull request as ready for review September 12, 2025 01:02
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Sep 12, 2025
SkyeYoung
SkyeYoung commented Sep 12, 2025
View reviewed changes
membphis
membphis approved these changes Sep 12, 2025
View reviewed changes
Copy link
Member

@membphis membphis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SkyeYoung SkyeYoung changed the title feat(openid-connect): when bearer_only is false, require the user to fill in session.secret change(openid-connect): when bearer_only is false, require the user to fill in session.secret Sep 12, 2025
@SkyeYoung SkyeYoung merged commit 0b8b5cd into apache:master Sep 12, 2025
46 of 51 checks passed
@SkyeYoung SkyeYoung deleted the young/feat/openid-connect/error-msg-instead-of-generate-secret branch September 12, 2025 10:33
jizhuozhi pushed a commit to jizhuozhi/apisix that referenced this pull request Oct 18, 2025
@SkyeYoung @jizhuozhi
change(openid-connect): when bearer_only is false, require the us…
66b3672 
…er to fill in `session.secret` (apache#12609)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis membphis approved these changes

@bzp2010 bzp2010 bzp2010 approved these changes

@nic-6443 nic-6443 nic-6443 approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SkyeYoung @membphis @bzp2010 @nic-6443