feat(openid-connect): update session config to support lua-resty-session, fixes deprecated session.cookie.lifetime

[francescodedomenico]

Description

APISIX bundles lua-resty-session 4.1.5, but the openid-connect plugin's session schema still exposed the legacy session.cookie.lifetime property from the 3.x API. Since lua-resty-openidc passes the session configuration as-is to resty.session.start(), only properties recognized by the 4.x library actually take effect.

This PR removes the deprecated session.cookie.lifetime and replaces it with the full set of flat configuration keys that lua-resty-session 4.x supports.

Why does it matter

With this update we have full control of the oidc sticky session, allowing apisix users to

• declare multiple OIDC plugins in the same apisix configuration, with different client-ids, and properties
• to make such sticky sessions to be forwarded only for selected paths using the cookie_path parameter

New session properties

Category	Properties
Cookie	cookie_name, cookie_prefix, cookie_path, cookie_domain, cookie_http_only, cookie_secure, cookie_priority, cookie_same_site, cookie_same_party, cookie_partitioned
Timeouts	idling_timeout (default 900s), rolling_timeout (default 3600s), absolute_timeout (default 86400s)
Remember / persistent sessions	remember, remember_cookie_name, remember_rolling_timeout, remember_absolute_timeout, remember_safety
Other	audience, subject, enforce_same_subject, stale_ttl, touch_threshold, compression_threshold, hash_storage_key, hash_subject, store_metadata

Migration from session.cookie.lifetime

The old session.cookie.lifetime (default 3600s) mapped loosely to a single cookie expiry. In lua-resty-session 4.x this is replaced by three independent timeouts that give much finer-grained control:

Old property	New equivalent(s)	Default
session.cookie.lifetime	idling_timeout — invalidate after inactivity	900s
	rolling_timeout — force renewal after duration	3600s
	absolute_timeout — hard session max lifetime	86400s

Breaking change

Please note that even if I am mentioning this as a breaking change, the session.cookie.lifetime is already ignored by the resty.session plugin in APISIX main branch and 3.15 release, possibly happening on older versions as well

session.cookie.lifetime is no longer accepted. Existing configurations using this property will be rejected by schema validation (additionalProperties = false). Users should migrate to idling_timeout, rolling_timeout, and/or absolute_timeout.

Files changed

• apisix/plugins/openid-connect.lua — replaced session schema with lua-resty-session 4.x properties
• docs/en/latest/plugins/openid-connect.md — updated English documentation
• docs/zh/latest/plugins/openid-connect.md — updated Chinese documentation
• t/plugin/openid-connect10.t — 14 new schema validation tests covering valid configs, invalid enum/type values, deprecated property rejection, and unknown property rejection

Which issue(s) this PR fixes:

Fixes #13177

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[Baoyuantop]

Hi @francescodedomenico, thank you for your contribution, but we need to evaluate whether it’s necessary to expose all the underlying library’s configurations. I’ll discuss this with the other maintainers. I look forward to hearing others’ thoughts.