Description
Summary
The openid-connect plugin currently exposes the ID token via the X-ID-Token header, which
contains base64(JSON(decoded_claims)). This representation carries no cryptographic
signature and cannot be verified by downstream services.
Problem
Downstream services that need to verify the identity of the caller cannot use X-ID-Token
for this purpose — the token is already decoded and stripped of its signature. The only way
to cryptographically verify the caller's identity is to have access to the original
RS256-signed JWT from the identity provider, verifiable against the provider's JWKS endpoint.
Proposed Solution
enabled, forwards the raw signed ID token JWT to upstream via the X-Enc-ID-Token request
header.
Key design points:
- The header is cleared at rewrite entry to prevent client-supplied values from bleeding
through.
- When
session_contents is explicitly restricted by the user, the plugin automatically
ensures enc_id_token is included so the raw JWT is persisted in the session by
lua-resty-openidc.
- Only available in the full OIDC session flow (not in bearer/introspection path).
Use Case
A backend service sits behind an APISIX route protected by the openid-connect plugin. The
service reads X-Enc-ID-Token, verifies the RS256 signature against the identity provider's
JWKS endpoint, and extracts claims to enforce access control (e.g. restricting access to
users from a specific domain).
Description
Summary
The
openid-connectplugin currently exposes the ID token via theX-ID-Tokenheader, whichcontains
base64(JSON(decoded_claims)). This representation carries no cryptographicsignature and cannot be verified by downstream services.
Problem
Downstream services that need to verify the identity of the caller cannot use
X-ID-Tokenfor this purpose — the token is already decoded and stripped of its signature. The only way
to cryptographically verify the caller's identity is to have access to the original
RS256-signed JWT from the identity provider, verifiable against the provider's JWKS endpoint.
Proposed Solution
enabled, forwards the raw signed ID token JWT to upstream via the
X-Enc-ID-Tokenrequestheader.
Key design points:
through.
session_contentsis explicitly restricted by the user, the plugin automaticallyensures
enc_id_tokenis included so the raw JWT is persisted in the session bylua-resty-openidc.
Use Case
A backend service sits behind an APISIX route protected by the
openid-connectplugin. Theservice reads
X-Enc-ID-Token, verifies the RS256 signature against the identity provider'sJWKS endpoint, and extracts claims to enforce access control (e.g. restricting access to
users from a specific domain).