Skip to content

feat(openid-connect): support PAR and DPoP client options#13649

Open
kevinlzw wants to merge 1 commit into
apache:masterfrom
kevinlzw:feat/openid-connect-par-dpop
Open

feat(openid-connect): support PAR and DPoP client options#13649
kevinlzw wants to merge 1 commit into
apache:masterfrom
kevinlzw:feat/openid-connect-par-dpop

Conversation

@kevinlzw

@kevinlzw kevinlzw commented Jul 2, 2026

Copy link
Copy Markdown

Description

I maintain lua-resty-openidc, and the latest lua-resty-openidc 1.9.0 release added client-side PAR and DPoP support. This PR bumps APISIX to that release and exposes the new client-side OAuth/OIDC options through the openid-connect Plugin.

This PR adds nested APISIX Plugin configuration for:

  • OAuth 2.0 Pushed Authorization Requests (PAR)
  • OAuth 2.0 DPoP proof generation for token and userinfo requests
  • client assertion JWT signing algorithm and audience options

The APISIX Plugin keeps user-facing PAR and DPoP options grouped under par and dpop, then maps them to the flat option names expected by lua-resty-openidc before invoking the library. It also encrypts dpop.private_key in etcd and documents the new options in English and Chinese.

Related to #11219. This PR covers the openid-connect Plugin acting as an OAuth/OIDC client/Relying Party. It does not implement APISIX resource-server-side DPoP proof validation.

Backward compatibility

This change is backward compatible for existing openid-connect Plugin configurations:

  • Existing attributes are not renamed or removed.
  • PAR and DPoP are opt-in and disabled by default.
  • Existing routes keep using the same behavior unless they configure the new par, dpop, or client assertion algorithm attributes.
  • dpop.private_key encryption only affects the new DPoP private-key field.

Which issue(s) this PR fixes:

Related to #11219

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible

Tests

  • git -C apisix diff --check
  • LuaJIT bytecode compile check for apisix/plugins/openid-connect.lua
  • prove -I../test-nginx/lib -I./ -r -s t/plugin/openid-connect.t
    • Files=1, Tests=175, Result: PASS
  • make lint was run in a Docker temporary copy of the Windows checkout after normalizing CRLF line endings and installing luacheck in the temporary container:
    • luacheck -q apisix t/lib: 0 warnings / 0 errors in 376 files
    • lj-releng still fails on existing repository-wide line-length/style findings, including pre-existing openid-connect.lua long lines not introduced by this PR.

@kevinlzw kevinlzw marked this pull request as ready for review July 2, 2026 13:45
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. doc Documentation things enhancement New feature or request labels Jul 2, 2026
@juzhiyuan juzhiyuan requested review from bzp2010 and nic-6443 July 3, 2026 00:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

doc Documentation things enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant