help request: Revoking token when sign out using openid-connect plugin

[quantranhong1999]

Description

Hi APISIX community,
I am new to Apache APISIX and studying it, especially the log-out case with an OIDC provider and the openid-connect plugin.

I can see that the openid-connect plugin does caching for token introspection results. However, I do not see any configuration or docs mentioning revoking the cached token (especially helpful for the logout case).

Looking at the lua-resty-openidc which our openid-connect plugin is based on, I can see it supports revoke token as well as a configuration for it called revoke_tokens_on_logout. However, again, I do not see it explicitly declared in our openid-connect plugin.

So, does revoking token on logout work out of the box with our openid-connect plugin?
Do we need to add the configuration to plugin code schema to make it work? If yes, please guide me on contributing this :-)

Cheers.

Environment

Not especially, studying the latest Apache APISIX 3.2.

[kayx23]

Hi there, the option is expected to work. I've added it in a recent PR. You should see it in the docs now: https://apisix.apache.org/docs/apisix/next/plugins/openid-connect

[quantranhong1999]

Hi there, the option is expected to work. I've added it in a recent PR. You should see it in the docs now:

Hi there. Thank a lot!

Does that mean with revoke_tokens_on_logout=true, upon logout the openid-connect plugin within APISIX will invalidate its cached token introspection results as well?

[kayx23]

I believe so. These configuration options previously work with the APISIX OIDC plugin as well, just undocumented. If you configure revoke_tokens_on_logout, it's just passed down to lua-resty-oidc in opts. So I expect the same behaviour.

If you encounter an unexpected behaviour, please open a separate issue.