Skip to content

feat(openid-connect): add set_enc_id_token_header option#13616

Open
luarx wants to merge 1 commit into
apache:masterfrom
luarx:feat/openid-connect-set-enc-id-token-header
Open

feat(openid-connect): add set_enc_id_token_header option#13616
luarx wants to merge 1 commit into
apache:masterfrom
luarx:feat/openid-connect-set-enc-id-token-header

Conversation

@luarx

@luarx luarx commented Jun 26, 2026

Copy link
Copy Markdown

Description

Add a new boolean plugin option set_enc_id_token_header (default: false) that, when
enabled, forwards the raw RS256-signed ID token JWT to upstream via the X-Enc-ID-Token
request header.

Unlike the existing X-ID-Token header (which contains base64(JSON(decoded_claims)) with
no cryptographic signature), X-Enc-ID-Token carries the original signed token verifiable
against the identity provider's JWKS endpoint.

Implementation details:

  • The header is cleared at rewrite entry to prevent client injection.
    ensures enc_id_token is included so the raw JWT is persisted in the session by
    lua-resty-openidc. When session_contents is nil (the default), lua-resty-openidc stores all
    session data including enc_id_token, so no action is needed.
  • Only available in the full OIDC session flow (not in the bearer/introspection path, where
    no session exists).

Which issue(s) this PR fixes:

Fixes #13615

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the
    APISIX mailing list first)

@luarx
feat(openid-connect): add set_enc_id_token_header option
07ed150 
Add a new boolean plugin option `set_enc_id_token_header` (default: false)
that, when enabled, forwards the raw RS256-signed ID token JWT to upstream
services via the `X-Enc-ID-Token` request header.

Unlike the existing `X-ID-Token` header (which contains
`base64(JSON(decoded_claims))` with no cryptographic signature),
`X-Enc-ID-Token` carries the original signed token that can be verified
against the identity provider's JWKS endpoint.

Implementation notes:
- The header is cleared at rewrite entry to prevent client injection.
- When the user has explicitly restricted `session_contents`, the plugin
  automatically adds `enc_id_token` to the list so the raw JWT is
  persisted in the session by lua-resty-openidc.
- When `session_contents` is nil (the default), lua-resty-openidc stores
  all session data including `enc_id_token`, so no action is needed.
- The feature is only available in the full OIDC session flow
  (not in the bearer/introspection path, where no session exists).

Closes apache#13615
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: As a user, I want the openid-connect plugin to expose the raw signed ID token to upstream for JWKS verification

1 participant

@luarx