Johannes Koch

We could skip the "oidc" example directory for the usual verification and do a ``` docker-compose up --abort-on-container-exit ``` instead. That would require creating different docker-compose.yaml files for the two...

A way to solve this in couper itself: lazy-initialize the JWT parser for OIDC: ```go func NewOidcClient(evalCtx *hcl.EvalContext, oidcConfig *oidc.Config) (*OidcClient, error) { backends := oidcConfig.Backends() acClient, err := NewAuthCodeClient(evalCtx,...

Hi @hifabienne > So as a workaround you could also use the userinfo endpoint The OIDC client implementation I use actually calls the userinfo endpoint with the access token. But...

Hi @buehler , yes introspection makes more sense. I'll try that.

Yep, in the token introspection response, the `aud` contains the requested ID. Thanks @hifabienne and @buehler

@schettn ~It seems that I do, yes.~ I saw roles from the granted project, because I used credentials for a org1p API to authenticate the token introspection request (as my...

The problem may also occur with `request`: ```hcl endpoint "/foo" { request "r" { url = "/bar" backend = "be" } response { headers = backend_responses.r.headers } } ```

The CORS response headers must not be set/added before ```go nextHandler.ServeHTTP(rw, req) ``` in `CORS.ServeNextHTTP()`. Instead we could register headers to remove/set/add with the `writer.Response` and execute the modifications after...

> Does the problem only occur with payload requests? The OPTIONS PFR is handled by Couper without actually executing the endpoint, isn't it? Yes

> Ideally, we use the `set` modifier to make sure that our generated header override any corresponding header coming from the upstream response. We already _set_ them. The problem is...