bug: openid-connect plugin not working as expected

[s4ntos]

Current Behavior

Version: 3.13.0

While trying to integrate with the openid-connect with Microsoft EntraID the authorization doesn't seem to be woring as expected.

We added the configuration for the upstream configuration and its deployed correctly.

{
  "id": "qual.bogus.com",
  "uri": "/*",
   "hosts": ["qual.bogus.com"],
  "plugins": {
    "openid-connect": {   
      "client_id": "xxxx-xxxx-xxxxxxxx",
      "client_secret": "xxxxxxxxxx",
      "discovery": "https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration",
      "redirect_uri": "https://qual.bogus.com",
      "ssl_verify": true,
      "bearer_only":false,
      "scope": "xxxx-xxxx-xxxxxxxx/.default"
    }
  },
  "upstream":{
    "scheme": "https",
    "type":"roundrobin",
    "nodes":{
      "backend-qual.private.com:443":1
    }
  }
}

When we go to qual.bogus.com we are correctly redirect to the login.microsofonline.com page and then redirected back with the code after authentication.

10.71.252.24 - - [02/Oct/2025:13:58:09 +0000] qual.bogus.com "GET /?code=verylarge..........code........thatisrturned&state=c128a1b6e12632e1ea76cde5340984c8&session_state=87d0158a-efd4-4534-81f8-0641a0d828a6 HTTP/1.1" 302 217 0.000 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0" - - - "http://qual.bogus.com"

But the result of this request is a new redirect to the login page and we are kept like this in a loop.

To test everything we have actually used this code 'verylarge.........code.......thatisreturned' to manually get the token using the microsoft API and we are able to get an ACCESS_TOKEN that is usable to use in further requests to qual.bogus.com using APIX without any issues, but the final set of the "Authorization: Bearer $ACCESS_TOKEN" on the redirect after the authentication on the Microsofr Entra ID doesn't seem to be happening.

Expected Behavior

It should be able login using the EntraID integration and navigate straightfoward after.

Error Logs

No Logs or errors found

Steps to Reproduce

1. This will require a function EntraID service in Azure
2. Create a new Application registration
3. Create a new route using the plugin: openid-connect and a generic upstream

Environment

• APISIX version (run apisix version): 3.13.0
• Operating system (run uname -a): Linux 6.12.40-63.114.amzn2023.aarch64 SMP Thu Aug 7 19:29:27 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.27.1.2
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): v3.6.0 (but also tested in a dedicated deployment)

[Baoyuantop]

Hi @s4ntos, please refer to https://docs.api7.ai/apisix/how-to-guide/authentication/set-up-sso-with-azure-ad

[s4ntos]

I actually followed this configuration. The issue is that the authentication token doesn't seem to be added (causing the repeated login and redirects).

I have actually used the Oauth2 interfaces to retrieve the tokens created by the first code and I'm able to retrieve them, but the tokens seem to be absent while using apisix.

[juzhiyuan]

Hi @kayx23, did you encounter this issue before?