fix(oidc): fail closed when verifier is unavailable (#4013)

Signed-off-by: EndlessSeeker <1766508902@qq.com> Co-authored-by: Jingze <52855280+Jing-ze@users.noreply.github.com>
2026-06-26 10:45:25 +08:00 · 2026-06-24 14:22:24 +08:00
parent e958290283
commit 10498a2c86
4 changed files with 116 additions and 5 deletions
--- a/plugins/wasm-go/extensions/oidc/main.go
+++ b/plugins/wasm-go/extensions/oidc/main.go
@@ -71,7 +71,14 @@ func onHttpRequestHeaders(ctx wrapper.HttpContext, config PluginConfig, log log.
 	// TODO: remove this verifier after envoy support send request during parseConfig
 	if err := config.oidcHandler.ValidateVerifier(); err != nil {
 		log.Critical(err.Error())
-		return types.ActionContinue
+		_ = proxywasm.SendHttpResponseWithDetail(
+			http.StatusServiceUnavailable,
+			"oidc.verifier_unavailable",
+			nil,
+			[]byte("OIDC verifier is unavailable"),
+			-1,
+		)
+		return types.ActionPause
 	}

 	config.oidcHandler.ServeHTTP(rw, req)