Add config for introspection_endpoint_auth_method (#62)

Add introspection_endpoint_auth_method

README.md

@@ -77,6 +77,7 @@ You also need to set the `KONG_CUSTOM_PLUGINS` environment variable
 | `config.ssl_verify` | false | false | Enable SSL verification to OIDC Provider |
 | `config.session_secret` | | false | Additional parameter, which is used to encrypt the session cookie. Needs to be random |
 | `config.introspection_endpoint` | | false | Token introspection endpoint |
+| `config.introspection_endpoint_auth_method` | client_secret_basic | false | Token introspection auth method. resty-openidc supports `client_secret_(basic|post)` |
 | `config.bearer_only` | no | false | Only introspect tokens without redirecting |
 | `config.realm` | kong | false | Realm used in WWW-Authenticate response header |
 | `config.logout_path` | /logout | false | Absolute path used to logout from the OIDC RP |

kong/plugins/oidc/schema.lua

@@ -5,6 +5,7 @@ return {
     client_secret = { type = "string", required = true },
     discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" },
     introspection_endpoint = { type = "string", required = false },
+    introspection_endpoint_auth_method = { type = "string", required = false },
     bearer_only = { type = "string", required = true, default = "no" },
     realm = { type = "string", required = true, default = "kong" },
     redirect_uri_path = { type = "string" },

kong/plugins/oidc/utils.lua

@@ -43,6 +43,7 @@ function M.get_options(config, ngx)
     client_secret = config.client_secret,
     discovery = config.discovery,
     introspection_endpoint = config.introspection_endpoint,
+    introspection_endpoint_auth_method = config.introspection_endpoint_auth_method,
     bearer_only = config.bearer_only,
     realm = config.realm,
     redirect_uri_path = config.redirect_uri_path or M.get_redirect_uri_path(ngx),

test/unit/test_utils.lua

@@ -34,6 +34,7 @@ function TestUtils:testOptions()
     response_type = "code",
     ssl_verify = "no",
     token_endpoint_auth_method = "client_secret_post",
+    introspection_endpoint_auth_method = "client_secret_basic",
     filters = "pattern1,pattern2,pattern3",
     logout_path = "/logout",
     redirect_after_logout_uri = "/login"
@@ -47,6 +48,7 @@ function TestUtils:testOptions()
   lu.assertEquals(opts.response_type, "code")
   lu.assertEquals(opts.ssl_verify, "no")
   lu.assertEquals(opts.token_endpoint_auth_method, "client_secret_post")
+  lu.assertEquals(opts.introspection_endpoint_auth_method, "client_secret_basic")
   lu.assertEquals(opts.redirect_uri_path, "/path/")
   lu.assertEquals(opts.logout_path, "/logout")
   lu.assertEquals(opts.redirect_after_logout_uri, "/login")