apache · cgmEdi · Jul 16, 2025 · Jul 16, 2025 · Jul 17, 2025 · Jul 17, 2025
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -179,6 +179,12 @@ local schema = {
             type = "boolean",
             default = true
         },
+        set_id_token_original_header = {
+            description = "Whether the ID token should be added in the X-ID-Token-Original header to " ..
+                "the request for downstream.",
+            type = "boolean",
+            default = false
+        },
         set_userinfo_header = {
             description = "Whether the user info token should be added in the X-Userinfo " ..
                 "header to the request for downstream.",
@@ -728,6 +734,12 @@ function _M.rewrite(plugin_conf, ctx)
                 core.request.set_header(ctx, "X-ID-Token", ngx.encode_base64(token))
             end
 
+            -- Add X-ID-Token-Original header, maybe.
+            if session and session.data and session.data.enc_id_token and conf.set_id_token_original_header then
+                local token = session.data.enc_id_token
+                core.request.set_header(ctx, "X-ID-Token-Original", token)
+            end
+
             -- Add X-Userinfo header, maybe.
             if response.user and conf.set_userinfo_header then
                 core.request.set_header(ctx, "X-Userinfo",

diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md
@@ -61,6 +61,7 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)
 | set_access_token_header              | boolean  | False    | true                  |              |  If true, set the access token in a request header. By default, the `X-Access-Token` header is used.        |
 | access_token_in_authorization_header | boolean  | False    | false                 |              | If true and if `set_access_token_header` is also true, set the access token in the `Authorization` header.      |
 | set_id_token_header                  | boolean  | False    | true                  |              | If true and if the ID token is available, set the value in the `X-ID-Token` request header.    |
+| set_id_token_original_header         | boolean  | False    | true                  |              | If true and if the ID token is available, set the value in the `X-ID-Token-Original` request header. This header contains the original ID-Token with JWS signature and Headers (in contrast to the `X-ID-Token` header). |
 | set_userinfo_header                  | boolean  | False    | true                  |              | If true and if user info data is available, set the value in the `X-Userinfo` request header.    |
 | set_refresh_token_header             | boolean  | False    | false                 |              | If true and if the refresh token is available, set the value in the `X-Refresh-Token` request header.        |
 | session            | object   | False    |     |              | Session configuration used when `bearer_only` is `false` and the Plugin uses Authorization Code flow.              |

diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
@@ -203,6 +203,7 @@ true
                                 "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
                                 "set_access_token_header": true,
                                 "access_token_in_authorization_header": false,
+                                "set_id_token_original_header": true,
                                 "set_id_token_header": true,
                                 "set_userinfo_header": true,
                                 "set_refresh_token_header": true
@@ -281,6 +282,7 @@ host: 127.0.0.1:1984
 user-agent: .*
 x-access-token: ey.*
 x-id-token: ey.*
+x-id-token-original: ey.*\..*\..*
 x-real-ip: 127.0.0.1
 x-refresh-token: ey.*
 x-userinfo: ey.*
@@ -917,7 +919,7 @@ OIDC introspection failed: invalid token
         }
     }
 --- response_body
-{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","introspection_interval":0,"jwk_expires_in":86400,"jwt_verification_cache_ignore":false,"logout_path":"/logout","realm":"apisix","renew_access_token_on_expiry":true,"revoke_tokens_on_logout":false,"scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"token_endpoint_auth_method":"client_secret_basic","unauth_action":"auth","use_nonce":false,"use_pkce":false}
+{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","introspection_interval":0,"jwk_expires_in":86400,"jwt_verification_cache_ignore":false,"logout_path":"/logout","realm":"apisix","renew_access_token_on_expiry":true,"revoke_tokens_on_logout":false,"scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_id_token_original_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"token_endpoint_auth_method":"client_secret_basic","unauth_action":"auth","use_nonce":false,"use_pkce":false}