Skip to content

feat(openid-connect): add stateless session revocation options#13651

Open
Hockenba wants to merge 6 commits into
apache:masterfrom
geico:feat/openid-connect-stateless-session-revocation
Open

feat(openid-connect): add stateless session revocation options#13651
Hockenba wants to merge 6 commits into
apache:masterfrom
geico:feat/openid-connect-stateless-session-revocation

Conversation

@Hockenba

@Hockenba Hockenba commented Jul 2, 2026

Copy link
Copy Markdown

Description

Adds session.redis.mode (storage | revocation) and session.revocation_fail_mode (open | closed) to the openid-connect plugin schema and documents them in the English plugin reference.

Session options are passed through to lua-resty-session unchanged; the library loads the Redis denylist when storage is cookie and Redis is configured for revocation. APISIX does not translate config to a revocation=true flag.

Adds t/plugin/openid-connect-revocation.t for schema validation and _build_session_opts passthrough (typical configs, variants, edge cases, and rejection of invalid or deprecated fields).

Depends on bungle/lua-resty-session#208 for runtime revocation behavior.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change (en only; zh not included — I only know English)
  • I have verified that this change is backward compatible

Test plan

  • prove t/plugin/openid-connect-revocation.t
    • Typical configs: cookie + redis revocation schema (default revocation_fail_mode=open), passthrough, redis session storage
    • Variants: closed fail mode, omitted redis.mode, cookie-only session
    • Edge cases: mode=storage on cookie, fail mode without redis, storage=redis + mode=revocation schema acceptance
    • Validation: invalid revocation_fail_mode, invalid redis.mode, deprecated session.revocation rejected
  • prove t/plugin/openid-connect*.t (no regressions in existing openid-connect tests)
  • Manual (after lua-resty-session#208): cookie-session logout with session.redis.mode=revocation invalidates the session via Redis denylist

@Hockenba Hockenba changed the title feat(openid-connect): add stateless session revocation via session.redis.mode feat(openid-connect): add stateless session revocation options Jul 2, 2026
@Hockenba
Hockenba marked this pull request as ready for review July 2, 2026 17:42
@dosubot dosubot Bot added size:XL This PR changes 500-999 lines, ignoring generated files. enhancement New feature or request labels Jul 2, 2026
Remove resty.session integration tests that manually injected revocation
state; APISIX now passes redis.mode through to lua-resty-session unchanged.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels Jul 3, 2026
Cover normal configs first, then variants and edge cases, with validation last.
@dosubot dosubot Bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Jul 3, 2026
@juzhiyuan

juzhiyuan commented Jul 3, 2026

Copy link
Copy Markdown
Member

Hello @Hockenba,

I did a quick review of this PR. It also depends on bungle/lua-resty-session#208, right?

Should we wait for the upstream PR to be merged first?

Update: This PR depends on bungle/lua-resty-session#208 status

https://the-asf.slack.com/archives/CUC5MN17A/p1783014722148709

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants