Update flightctl-base image

Containerfile

@@ -18,7 +18,7 @@ COPY proxy /app
 USER 0
 RUN CGO_ENABLED=1 CGO_CFLAGS=-flto GOEXPERIMENT=strictfipsruntime go build
 
-FROM quay.io/flightctl/flightctl-base:9.6-1762316544
+FROM quay.io/flightctl/flightctl-base:9.7-1762965531
 COPY --from=ui-build /app/apps/standalone/dist /app/proxy/dist
 COPY --from=proxy-build /app/flightctl-ui /app/proxy
 WORKDIR /app/proxy

Containerfile.ocp

@@ -18,7 +18,7 @@ COPY proxy /app
 USER 0
 RUN CGO_ENABLED=1 CGO_CFLAGS=-flto GOEXPERIMENT=strictfipsruntime go build
 
-FROM quay.io/flightctl/flightctl-base:9.6-1762316544
+FROM quay.io/flightctl/flightctl-base:9.7-1762965531
 COPY --from=ui-build /app/apps/ocp-plugin/dist /app/proxy/dist
 COPY --from=proxy-build /app/flightctl-ui /app/proxy
 WORKDIR /app/proxy

proxy/auth/aap.go

@@ -57,25 +57,23 @@ func getAAPAuthHandler(provider *v1beta1.AuthProvider, aapSpec *v1beta1.AapProvi
 	if aapSpec.ApiUrl == "" {
 		return nil, fmt.Errorf("AAP provider %s missing ApiUrl", providerName)
 	}
-
-	// Use externalApiUrl if available, otherwise use apiUrl
-	authURL := aapSpec.ApiUrl
-	if aapSpec.ExternalApiUrl != nil && *aapSpec.ExternalApiUrl != "" {
-		authURL = *aapSpec.ExternalApiUrl
+	if aapSpec.ClientId == "" {
+		return nil, fmt.Errorf("AAP provider %s missing ClientId", providerName)
+	}
+	if aapSpec.AuthorizationUrl == "" {
+		return nil, fmt.Errorf("AAP provider %s missing AuthorizationUrl", providerName)
+	}
+	if aapSpec.TokenUrl == "" {
+		return nil, fmt.Errorf("AAP provider %s missing TokenUrl", providerName)
 	}
-
-	// AAP OAuth typically uses a default client ID or requires it to be configured
-	// Since the new spec doesn't include ClientId, we'll use a default or make it configurable
-	// For now, using a default client ID that AAP typically uses
-	clientId := "flightctl-ui"        // Default client ID for AAP
-	internalAuthURL := aapSpec.ApiUrl // Use internal URL for token exchange
 
 	tlsConfig, err := bridge.GetAuthTlsConfig()
 	if err != nil {
 		return nil, err
 	}
 
-	client, err := getClient(authURL, tlsConfig, clientId)
+	// Use the authorization and token URLs directly from the spec
+	client, err := getClient(aapSpec.AuthorizationUrl, aapSpec.TokenUrl, tlsConfig, aapSpec.ClientId)
 	if err != nil {
 		return nil, err
 	}
@@ -84,36 +82,26 @@ func getAAPAuthHandler(provider *v1beta1.AuthProvider, aapSpec *v1beta1.AapProvi
 		client:          client,
 		internalClient:  client,
 		tlsConfig:       tlsConfig,
-		authURL:         authURL,
-		tokenURL:        fmt.Sprintf("%s/o/token/", internalAuthURL),
-		internalAuthURL: internalAuthURL,
-		clientId:        clientId,
+		authURL:         aapSpec.AuthorizationUrl,
+		tokenURL:        aapSpec.TokenUrl,
+		internalAuthURL: aapSpec.ApiUrl,
+		clientId:        aapSpec.ClientId,
 		providerName:    providerName,
 	}
 
-	// If we have both external and internal URLs, create separate clients
-	if aapSpec.ExternalApiUrl != nil && *aapSpec.ExternalApiUrl != "" && *aapSpec.ExternalApiUrl != aapSpec.ApiUrl {
-		internalClient, err := getClient(internalAuthURL, tlsConfig, clientId)
-		if err != nil {
-			return nil, err
-		}
-		handler.internalClient = internalClient
-		handler.tokenURL = fmt.Sprintf("%s/o/token/", internalAuthURL)
-	}
-
 	return handler, nil
 }
 
-func getClient(url string, tlsConfig *tls.Config, clientId string) (*osincli.Client, error) {
+func getClient(authorizationUrl, tokenUrl string, tlsConfig *tls.Config, clientId string) (*osincli.Client, error) {
 	// Use provided clientId, require it to be non-empty
 	if clientId == "" {
 		return nil, fmt.Errorf("clientId is required for AAP provider")
 	}
 
 	oidcClientConfig := &osincli.ClientConfig{
 		ClientId:                 clientId,
-		AuthorizeUrl:             fmt.Sprintf("%s/o/authorize/", url),
-		TokenUrl:                 fmt.Sprintf("%s/o/token/", url),
+		AuthorizeUrl:             authorizationUrl,
+		TokenUrl:                 tokenUrl,
 		RedirectUrl:              config.BaseUiUrl + "/callback",
 		ErrorsInStatusCode:       true,
 		SendClientSecretInParams: true,

proxy/auth/auth.go

@@ -186,7 +186,14 @@ func getClientIdFromProviderConfig(providerConfig *v1beta1.AuthProvider) (string
 		}
 		return oauth2Spec.ClientId, nil
 	case ProviderTypeAAP:
-		return "", fmt.Errorf("AAP providers client_id needs to be retrieved")
+		aapSpec, err := providerConfig.Spec.AsAapProviderSpec()
+		if err != nil {
+			return "", fmt.Errorf("failed to parse AAP provider spec: %w", err)
+		}
+		if aapSpec.ClientId == "" {
+			return "", fmt.Errorf("AAP provider missing required ClientId")
+		}
+		return aapSpec.ClientId, nil
 	case ProviderTypeOpenShift:
 		openshiftSpec, err := providerConfig.Spec.AsOpenShiftProviderSpec()
 		if err != nil {

proxy/go.mod

@@ -5,7 +5,7 @@ go 1.24.0
 toolchain go1.24.6
 
 require (
-	github.com/flightctl/flightctl v1.0.0-main.0.20251125075421-bbc6daa7c2e7
+	github.com/flightctl/flightctl v1.0.0-rc1
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3

proxy/go.sum

@@ -12,8 +12,8 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvw
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flightctl/flightctl v1.0.0-main.0.20251125075421-bbc6daa7c2e7 h1:jDjB/bWu8NRhZErSW7jc2U0o3aRZUBL8oiEHpq1um+0=
-github.com/flightctl/flightctl v1.0.0-main.0.20251125075421-bbc6daa7c2e7/go.mod h1:Gi6cCJ4Jg42yooeBq3cCUpsBvUbWct8US92JEYX7fc4=
+github.com/flightctl/flightctl v1.0.0-rc1 h1:PbWJuz9cOePiGz4/wCKR0HZrILHOVL6o8D4ZuX4bbNo=
+github.com/flightctl/flightctl v1.0.0-rc1/go.mod h1:Gi6cCJ4Jg42yooeBq3cCUpsBvUbWct8US92JEYX7fc4=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=