f

shreemaan-abhishek · shreemaan-abhishek · commit 8310a26ba70f · 2026-02-03T15:20:49.000+05:45
Signed-off-by: Abhishek Choudhary &lt;shreemaan.abhishek@gmail.com&gt;
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -158,8 +158,9 @@ local schema = {
         use_jwks = {
             type = "boolean",
             default = false,
-            description = "Whether to use the JWKS(JSON Web Key Set) endpoint to validate the " ..
-                "token signature."
+            description = "If true and if `public_key` is not set, use the JWKS to verify JWT " ..
+                "signature and skip token introspection in client credentials flow. The JWKS " ..
+                "endpoint is parsed from the discovery document."
         },
         token_signing_alg_values_expected = {type = "string"},
         use_pkce = {
diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md
@@ -55,7 +55,7 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)
 | introspection_endpoint_auth_method   | string   | False    | client_secret_basic |              | Authentication method for the token introspection endpoint. The value should be one of the authentication methods specified in the `introspection_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `client_secret_jwt`.              |
 | token_endpoint_auth_method           | string   | False    |   client_secret_basic      |              | Authentication method for the token endpoint. The value should be one of the authentication methods specified in the `token_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `client_secret_jwt`. If the configured method is not supported, fall back to the first method in the `token_endpoint_auth_methods_supported` array.       |
 | public_key         | string   | False    |     |              | Public key used to verify JWT signature id asymmetric algorithm is used. Providing this value to perform token verification will skip token introspection in client credentials flow. You can pass the public key in `-----BEGIN PUBLIC KEY-----\\n……\\n-----END PUBLIC KEY-----` format.          |
-| use_jwks           | boolean  | False    | false                 |              | Whether to use the JWKS(JSON Web Key Set) endpoint to validate the token signature.     |
+| use_jwks           | boolean  | False    | false                 |              | 如果为 true 并且未设置“public_key”，则使用 JWKS 验证 JWT 签名并跳过客户端凭据流程中的令牌自省。 JWKS 端点是从发现文档中解析的。     |
 | use_pkce           | boolean  | False    | false                 |              | If true, use the Proof Key for Code Exchange (PKCE) for Authorization Code Flow as defined in [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636).  |
 | token_signing_alg_values_expected    | string   | False    |     |              | Algorithm used for signing JWT, such as `RS256`.       |
 | set_access_token_header              | boolean  | False    | true                  |              |  If true, set the access token in a request header. By default, the `X-Access-Token` header is used.        |
diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md
@@ -55,7 +55,7 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
 | introspection_endpoint_auth_method | string | 否 | client_secret_basic | | 令牌自检端点的身份验证方法。该值应为 `introspection_endpoint_auth_methods_supported` [授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html) 中指定的身份验证方法之一，如众所周知的发现文档中所示，例如 `client_secret_basic`、`client_secret_post`、`private_key_jwt` 和 `client_secret_jwt`。|
 | token_endpoint_auth_method | string | 否 | client_secret_basic | | 令牌端点的身份验证方法。该值应为 `token_endpoint_auth_methods_supported` [授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html) 中指定的身份验证方法之一，如众所周知的发现文档中所示，例如 `client_secret_basic`、`client_secret_post`、`private_key_jwt` 和 `client_secret_jwt`。如果配置的方法不受支持，则回退到 `token_endpoint_auth_methods_supported` 数组中的第一个方法。|
 | public_key | string | 否 | | | 用于验证 JWT 签名 id 的公钥使用非对称算法。提供此值来执行令牌验证将跳过客户端凭据流中的令牌自检。您可以以 `-----BEGIN PUBLIC KEY-----\\n……\\n-----END PUBLIC KEY-----` 格式传递公钥。|
-| use_jwks | boolean | 否 | false | | 是否使用 JWKS（JSON Web Key Set）端点来验证令牌签名。|
+| use_jwks | boolean | 否 | false | | 如果为 true 并且未设置“public_key”，则使用 JWKS 验证 JWT 签名并跳过客户端凭据流程中的令牌自省。 JWKS 端点是从发现文档中解析的。|
 | use_pkce | boolean | 否 | false | | 如果为 true，则使用 [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) 中定义的授权码流的代码交换证明密钥 (PKCE)。|
 | token_signing_alg_values_expected | string | 否 | | | 用于签署 JWT 的算法，例如 `RS256`。 |
 | set_access_token_header | boolean | 否 | true | | 如果为 true，则在请求标头中设置访问令牌。默认情况下，使用 `X-Access-Token` 标头。|
