bug: Invalid secretRef in openid-connect plugin allows the access to the backend application

[geeky-akshay]

Current Behavior

If secret name provided in secretRef of openid-connect plugin does not exists, then it allows the access to the backend application

Expected Behavior

It should deny the access to the backend application if the secret provided in secretRef does not exists.

Error Logs

No response

Steps to Reproduce

1. Deploy httpbin service
2. Deploy any identity provider, for example Keycloak
3. Create client application for accessing the httpbin
4. Create ApisixRoute for accessing the httpbin and protect it with openid-connect plugin
5. Don't provide client_secret in openid-connect plugin, instead use secretRef and provide dummy secret name
6. Access the httpbin service
7. Access will be allowed instead of denying because secret does not exists

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin
  namespace: default
spec:
  http:
  - backends:
    - serviceName: httpbin
      servicePort: 80
    match:
      paths:
      - /*
    name: httpbin
    plugins:
    - config:
        access_token_in_authorization_header: true
        client_id: httpbin
        discovery: https://a7s990a76a40c4a909451a1a973e4180-f1cd4b4d0d9b62f1.elb.us-east-1.amazonaws.com/auth/oidc/.well-known/openid-configuration
        renew_access_token_on_expiry: true
        scope: openid
        set_refresh_token_header: true
        timeout: 10
        use_jwks: true
      enable: true
      name: openid-connect
      secretRef: dummy-httpbin-secret

Environment

• APISIX version (run apisix version): 3.12.0
• Operating system (run uname -a): Linux apisix-data-plane-656bb98db-gz69w 5.10.237-230.949.amzn2.x86_64 #1 SMP Thu Jun 5 23:30:10 UTC 2025 x86_64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V):

nginx version: openresty/1.27.1.1
built with OpenSSL 3.2.0 23 Nov 2023
TLS SNI support enabled
configure arguments: --prefix=/opt/bitnami/apisix/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2 -DAPISIX_RUNTIME_VER=1.3.0 -DNGX_LUA_ABORT_AT_PANIC -I/opt/bitnami/apisix/openresty/zlib/include -I/opt/bitnami/apisix/openresty/pcre/include -I/opt/bitnami/apisix/openresty/openssl3/include' --add-module=../ngx_devel_kit-0.3.3 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.27 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.15 --with-ld-opt='-Wl,-rpath,/opt/bitnami/apisix/openresty/luajit/lib -Wl,-rpath,/opt/bitnami/apisix/openresty/wasmtime-c-api/lib -L/opt/bitnami/apisix/openresty/zlib/lib -L/opt/bitnami/apisix/openresty/pcre/lib -L/opt/bitnami/apisix/openresty/openssl3/lib -Wl,-rpath,/opt/bitnami/apisix/openresty/zlib/lib:/opt/bitnami/apisix/openresty/pcre/lib:/opt/bitnami/apisix/openresty/openssl3/lib' --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../ngx_multi_upstream_module-1.3.1 --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../apisix-nginx-module-1.18.0 --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../apisix-nginx-module-1.18.0/src/stream --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../apisix-nginx-module-1.18.0/src/meta --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../wasm-nginx-module-0.7.0 --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.4z3Tv3j4Tp/openresty-1.27.1.1/../lua-resty-events-0.2.0 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --with-http_v3_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module

• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[Baoyuantop]

This issue is related to the current version of the apisix ingress controller, which will be discontinued soon, and we plan to release a new version of ingress controller with these issues resolved. More details can be found at https://lists.apache.org/thread/r8ydjz4nq35xokov2lc6sfhppybqwgrn