apache · shreemaan-abhishek · May 19, 2026
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -401,7 +401,7 @@ local schema = {
             default = nil,
         }
     },
-    encrypt_fields = {"client_secret", "client_rsa_private_key"},
+    encrypt_fields = {"client_secret", "client_rsa_private_key", "session.redis.password"},
     required = {"client_id", "client_secret", "discovery"}
 }
 

diff --git a/t/plugin/openid-connect2.t b/t/plugin/openid-connect2.t
@@ -1081,3 +1081,86 @@ true
 true
 --- no_error_log
 [alert]
+
+
+
+=== TEST 21: data encryption for session.redis.password
+--- yaml_config
+apisix:
+    data_encryption:
+        enable_encrypt_fields: true
+        keyring:
+            - edd1c9f0985e76a2
+--- config
+    location /t {
+        content_by_lua_block {
+            local json = require("toolkit.json")
+            local t = require("lib.test_admin").test
+            local redis_password = "super-secret-redis-password"
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 json.encode({
+                     plugins = {
+                         ["openid-connect"] = {
+                             client_id = "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
+                             client_secret = "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
+                             discovery = "http://127.0.0.1:1980/.well-known/openid-configuration",
+                             redirect_uri = "https://iresty.com",
+                             ssl_verify = false,
+                             timeout = 10,
+                             scope = "apisix",
+                             use_pkce = false,
+                             session = {
+                                 secret = "jwcE5v3pM9VhqLxmxFOH9uZaLo8u7KQK",
+                                 storage = "redis",
+                                 redis = {
+                                     host = "127.0.0.1",
+                                     port = 6379,
+                                     password = redis_password,
+                                 }
+                             }
+                         }
+                     },
+                     upstream = {
+                         nodes = {
+                             ["127.0.0.1:1980"] = 1
+                         },
+                         type = "roundrobin"
+                     },
+                     uri = "/hello"
+                 })
+            )
+
+            if code >= 300 then
+                ngx.status = code
+                ngx.say(body)
+                return
+            end
+            ngx.sleep(0.1)
+
+            -- get plugin conf from admin api, password is decrypted
+            local code, message, res = t('/apisix/admin/routes/1',
+                ngx.HTTP_GET
+            )
+            res = json.decode(res)
+            if code >= 300 then
+                ngx.status = code
+                ngx.say(message)
+                return
+            end
+
+            local plain_password = res.value.plugins["openid-connect"].session.redis.password
+            ngx.say(plain_password == redis_password)
+
+            -- get plugin conf from etcd, password must be encrypted (not plaintext)
+            local etcd = require("apisix.core.etcd")
+            local etcd_res = assert(etcd.get('/routes/1'))
+            local stored = etcd_res.body.node.value.plugins["openid-connect"].session.redis.password
+            ngx.say(type(stored) == "string" and stored ~= "" and stored ~= redis_password)
+        }
+    }
+--- response_body
+true
+true
+--- no_error_log
+[alert]