Skip to content

fix: openid foward original id token #12439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

fix: openid foward original id token #12439

wants to merge 10 commits into from

Conversation

cgmEdi
Copy link

@cgmEdi cgmEdi commented Jul 16, 2025
edited
Loading

Description

Issue: #10275 #12438
Summary: add a config option "set original id token header" so that the original id_token that was stored in the sesssion (enc_id_token) gets fowarded as the new header "X-Id-Token-Original".

In my company, we have a use case, where the donwstream needs the original id_token so that it can perform a token exchange.

Which issue(s) this PR fixes:

Fixes #10275 #12438

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@cgmEdi cgmEdi changed the title Feat/openid foward original id token fix: openid foward original id token Jul 16, 2025
@cgmEdi cgmEdi marked this pull request as ready for review July 17, 2025 08:05
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Jul 17, 2025
@Baoyuantop
Copy link
Contributor

I need to check the original issue before reviewing this PR.

@moonming moonming requested a review from Copilot July 22, 2025 03:15
Copilot
Copilot AI reviewed Jul 22, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new configuration option set_id_token_original_header to the OpenID Connect plugin that allows forwarding the original ID token (with JWS signature and headers) in a new X-ID-Token-Original header. This addresses downstream use cases requiring the original token for operations like token exchange.

  • Adds set_id_token_original_header boolean configuration option (defaults to true)
  • Implements logic to set X-ID-Token-Original header with the encrypted ID token from session data
  • Updates documentation and tests to reflect the new functionality

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
apisix/plugins/openid-connect.lua Adds schema definition and header-setting logic for the new set_id_token_original_header option
docs/en/latest/plugins/openid-connect.md Documents the new configuration parameter in the plugin attributes table
t/plugin/openid-connect.t Adds test coverage for the new header functionality and updates expected responses

cgmEdi and others added 2 commits July 22, 2025 14:18
@cgmEdi @Copilot
Update docs/en/latest/plugins/openid-connect.md
5dd43e1 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@cgmEdi @Copilot
Update apisix/plugins/openid-connect.lua
98bc714 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@TheManWhoStaresAtCode TheManWhoStaresAtCode mentioned this pull request Jul 22, 2025
Open
@Baoyuantop
Copy link
Contributor

Hi @cgmEdi, there is a conflicting file that needs to be resolved.

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Jul 23, 2025
@cgmEdi
Copy link
Author

cgmEdi commented Jul 23, 2025

Hi @cgmEdi, there is a conflicting file that needs to be resolved.

Hi @Baoyuantop, the conflict is resolved now :).

@Baoyuantop Baoyuantop moved this to 👀 In review in ⚡️ Apache APISIX Roadmap Jul 23, 2025
@Baoyuantop
Copy link
Contributor

Hi @cgmEdi, please fix failed ci.

@Baoyuantop Baoyuantop linked an issue Jul 25, 2025 that may be closed by this pull request
help request: openid-connect plugin X-Id-Token header contains only payload part of JWT #12438
Open
@Baoyuantop
Copy link
Contributor

Hi @cgmEdi, any updates?

@Baoyuantop Baoyuantop moved this from 👀 In review to 📋 Backlog in ⚡️ Apache APISIX Roadmap Jul 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 3 approving reviews are required to merge this pull request.

Assignees

@cgmEdi cgmEdi

Labels
enhancement New feature or request size:S This PR changes 10-29 lines, ignoring generated files.
Projects
⚡️ Apache APISIX Roadmap
Status: 📋 Backlog
Milestone
No milestone
2 participants
@cgmEdi @Baoyuantop