Support split OIDC provider URLs#1039
Conversation
7e563e5 to
02b600c
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 02b600c. Configure here.
| metadata.ProviderConfig.IssuerURL = cfg.OIDCIssuer | ||
| } | ||
|
|
||
| metadata.ProviderConfig.IssuerURL = cfg.OIDCIssuer |
There was a problem hiding this comment.
Issuer slash mismatch breaks split OIDC
Medium Severity
In the custom OIDC metadata path, discovery issuer validation uses a strict string compare against OIDCIssuer, then forces that configured value as the verifier issuer. When internalIssuerURL or endpoint overrides are set, a trailing-slash mismatch between Helm/docs-style issuerURL and the IdP discovery issuer can fail startup or reject valid ID tokens, unlike the default oidc.NewProvider path.
Reviewed by Cursor Bugbot for commit 02b600c. Configure here.
There was a problem hiding this comment.
I think this one is not a bug. Upstream go-oidc has the same behavior: NewProvider trims the configured issuer only to build /.well-known/openid-configuration, then compares the discovered issuer exactly against the configured issuer before constructing the provider. The custom path here is intentionally preserving that exact issuer validation, and replaceOIDCURLBase already trims base URLs for endpoint rewriting so trailing slash differences on internalIssuerURL do not break the derived token/JWKS/userinfo URLs.
02b600c to
eeddded
Compare


Summary
Radar OIDC mode now supports Kubernetes deployments where the browser must use the canonical issuer URL while the Radar pod reaches the identity provider through an internal service URL. This removes the need for hostAliases, loopback proxies, or sidecar forwarding while preserving validation against the canonical token issuer.
Closes #981.
What changed
internalIssuerURLsupport for the common case where public and internal IdP paths match, deriving internal token/userinfo/JWKS URLs while keeping browser-facing authorization and logout URLs public.scripts/test-oidc-split.sh, a local Dex smoke test that blocks public token/JWKS/userinfo endpoints and verifies Radar can still complete login through the internal issuer path.Testing
go test ./internal/auth ./cmd/explorergo test ./internal/server(cd pkg && go test ./auth)helm lint deploy/helm/radarhelm template radar deploy/helm/radarwith the new OIDC valuesmake testmake buildbash -n scripts/test-oidc-split.sh./scripts/test-oidc-split.sh ./radar(Docker Dex split-issuer smoke, 7/7 pass)Notes
When explicit endpoint overrides are used without
internalIssuerURL, Radar can initialize without discovery, but discovery-provided logout/backchannel metadata is unavailable. UseinternalIssuerURLwhen the provider discovery document is reachable from the pod.Note
Medium Risk
Touches OIDC login, token exchange, and JWT verification—security-sensitive—but issuer validation is preserved and behavior is additive behind new config flags.
Overview
Adds split public/internal OIDC URLs for in-cluster Radar: browsers keep the canonical
issuerURLwhile the pod can discover and call token, JWKS, and userinfo over internal DNS—without changing tokenissvalidation.internal/auth/oidc.gonow builds provider metadata via custom discovery when any split/override setting is set: optionalinternalIssuerURLrewrites server-side endpoints and keeps authorization/logout browser-facing; explicitauthorizationURL,tokenURL,userInfoURL, andjwksURLoverrides skip derivation when paths don't match. Discovery issuer must still report the same canonical issuer as configured.New CLI flags, Helm values/schema/deployment args, and
docs/authentication.mddocument the pattern. Unit tests cover internal issuer, overrides, and discovery-free explicit endpoints.scripts/test-oidc-split.shis a Dex-based smoke test that blocks public token/JWKS paths and verifies end-to-end login.Reviewed by Cursor Bugbot for commit eeddded. Bugbot is set up for automated code reviews on this repo. Configure here.