From 2fc83975f9ad5083d8f71aebf66cb4ddd96e7228 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Tue, 19 May 2026 17:17:12 +0800 Subject: [PATCH] fix(openid-connect): encrypt session.redis.password at rest The Redis-backed session storage introduced in 3.16.0 added a `session.redis.password` field. Unlike `client_secret`, this field was not included in `encrypt_fields`, so the Redis password was persisted in plaintext in etcd and surfaced through backups, snapshots, and diagnostic exports. Add `session.redis.password` to `encrypt_fields` so it follows the same encryption path that already protects `client_secret` and `client_rsa_private_key`. --- apisix/plugins/openid-connect.lua | 2 +- t/plugin/openid-connect2.t | 83 +++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 3ecf9d246f0f..6d7022da1fc7 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -401,7 +401,7 @@ local schema = { default = nil, } }, - encrypt_fields = {"client_secret", "client_rsa_private_key"}, + encrypt_fields = {"client_secret", "client_rsa_private_key", "session.redis.password"}, required = {"client_id", "client_secret", "discovery"} } diff --git a/t/plugin/openid-connect2.t b/t/plugin/openid-connect2.t index e4760a11d349..b7877ac33255 100644 --- a/t/plugin/openid-connect2.t +++ b/t/plugin/openid-connect2.t @@ -1081,3 +1081,86 @@ true true --- no_error_log [alert] + + + +=== TEST 21: data encryption for session.redis.password +--- yaml_config +apisix: + data_encryption: + enable_encrypt_fields: true + keyring: + - edd1c9f0985e76a2 +--- config + location /t { + content_by_lua_block { + local json = require("toolkit.json") + local t = require("lib.test_admin").test + local redis_password = "super-secret-redis-password" + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + json.encode({ + plugins = { + ["openid-connect"] = { + client_id = "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", + client_secret = "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", + discovery = "http://127.0.0.1:1980/.well-known/openid-configuration", + redirect_uri = "https://iresty.com", + ssl_verify = false, + timeout = 10, + scope = "apisix", + use_pkce = false, + session = { + secret = "jwcE5v3pM9VhqLxmxFOH9uZaLo8u7KQK", + storage = "redis", + redis = { + host = "127.0.0.1", + port = 6379, + password = redis_password, + } + } + } + }, + upstream = { + nodes = { + ["127.0.0.1:1980"] = 1 + }, + type = "roundrobin" + }, + uri = "/hello" + }) + ) + + if code >= 300 then + ngx.status = code + ngx.say(body) + return + end + ngx.sleep(0.1) + + -- get plugin conf from admin api, password is decrypted + local code, message, res = t('/apisix/admin/routes/1', + ngx.HTTP_GET + ) + res = json.decode(res) + if code >= 300 then + ngx.status = code + ngx.say(message) + return + end + + local plain_password = res.value.plugins["openid-connect"].session.redis.password + ngx.say(plain_password == redis_password) + + -- get plugin conf from etcd, password must be encrypted (not plaintext) + local etcd = require("apisix.core.etcd") + local etcd_res = assert(etcd.get('/routes/1')) + local stored = etcd_res.body.node.value.plugins["openid-connect"].session.redis.password + ngx.say(type(stored) == "string" and stored ~= "" and stored ~= redis_password) + } + } +--- response_body +true +true +--- no_error_log +[alert]