help request: openid-connect plugin with renew access token

[SKDragon18]

Description

I want to know how to renew access token automatically in APISIX with plugin openid-connect. I found renew_access_token_on_expiry field in JSON setting, but it does not work, access token expire, refresh token is available. Does it really work like that?

this is my openid-connect configuration:

"openid-connect": {
  "accept_none_alg": false,
  "accept_unsupported_alg": true,
  "access_token_expires_leeway": 0,
  "access_token_in_authorization_header": false,
  "bearer_only": true,
  "client_id": "apisix",
  "client_jwt_assertion_expires_in": 60,
  "client_secret": "UDrN+4q9hETmW6YJQrIssdfTudn9+PC",
  "discovery": "http://host.docker.internal:8080/realms/apisix_test_realm/.well-known/openid-configuration",
  "force_reauthorize": false,
  "iat_slack": 120,
  "introspection_endpoint_auth_method": "client_secret_basic",
  "introspection_interval": 0,
  "jwk_expires_in": 86400,
  "jwt_verification_cache_ignore": false,
  "logout_path": "/logout",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBfdsfdsJm37Xu9dWa6QniwLO+45u4tesgtlzCizpWCb41FD2dKVpcRQHKW\n2QIDAQAB\n-----END PUBLIC KEY-----",
  "realm": "apisix_test_realm",
  "renew_access_token_on_expiry": true,
  "revoke_tokens_on_logout": false,
  "scope": "openid",
  "set_access_token_header": true,
  "set_id_token_header": true,
  "set_refresh_token_header": true,
  "set_userinfo_header": true,
  "ssl_verify": false,
  "timeout": 3,
  "token_endpoint_auth_method": "client_secret_basic",
  "token_signing_alg_values_expected": "RS256",
  "unauth_action": "auth",
  "use_nonce": false,
  "use_pkce": false
}

My curl test:

curl --location --request GET 'http://127.0.0.1:9080/api/dgraph/targets/all?page=1&size=15' \
  --header 'X-Refresh-Token: eyJhbGciOiJIUzUxMiIsInR5cCxNvt5A0IeIv19Xbvb3d3sz1xnZ_i1a4V7ZWg' \
  --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmYXFILXE0a3Bpd185ZnZNLWR3SG9rMXdCOU8zM1FvRWo4eVE2TUVzRmxvIn0.eyJleHIBt06yE93SBfxrMhTmYMbGdnMoIs6EWQWA'

Server log seem it catching expire token but no try refresh token:

2025/03/05 04:48:50 [error] 53#53: *390762 [lua] openid-connect.lua:533: phase_func(): OIDC introspection failed: jwt signature verification failed: 'exp' claim expired at Wed, 05 Mar 2025 04:37:11 GMT,  request: "GET /api/dgraph/targets/all?page=1&size=15 HTTP/1.1", host: "127.0.0.1:9080"
2025/03/05 04:48:50 [warn] 53#53: *390762 [lua] plugin.lua:1174: run_plugin(): openid-connect exits with http status code 401, request: "GET /api/dgraph/targets/all?page=1&size=15 HTTP/1.1", host: "127.0.0.1:9080"- - [05/Mar/2025:04:48:50 +0000] 127.0.0.1:9080 "GET /api/dgraph/targets/all?page=1&size=15 HTTP/1.1" 401 251 0.000 "-" "Apidog/1.0.0 (https://apidog.com)" - - - "http://127.0.0.1:9080"

Environment

• APISIX version (run apisix version):
• Operating system (run uname -a):
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[mengxzh]

This conf seems like only work in authorization_code.