[plugin/openid-connect] Consider Adding Introspection to Tokens stored in Session #11348
james-mchugh
started this conversation in
Ideas
Replies: 2 comments
-
as a dirty solution, this seems to work here: https://github.com/apache/apisix/blob/1a45d1da896d22048b08b1bdc1218a84468a98a2/apisix/plugins/openid-connect.lua#L587C9-L587C25
|
Beta Was this translation helpful? Give feedback.
0 replies
-
got around to testing this with introspection_interval: 5 and distributed tracing: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
A common application security STIG is to automatically terminate sessions upon account deletion. A typical way of implementing this is to utilize token introspection to see if a user's token is still active whenever a request is sent (possibly with some TTL cache in place).
This currently works fine for bearer only authentication, but it does not work for the relying party flow. Even with introspection configured with a low introspection_interval (5 seconds for example), a deleted user's session in Apisix will not end until the token expires and has to be refreshed.
Looking at the
lua-rest-openidc
plugin, theopenidc.authenticate
method for the relying party flow returns the access token. It should be possible to pass this back to theopenidc.introspect
to introspect it if introspection is enabled. This would allow tokens stored in the session to also benefit from token introspection.Beta Was this translation helpful? Give feedback.
All reactions