Skip to content

Support split OIDC provider URLs#1039

Open
nadaverell wants to merge 1 commit into
mainfrom
issue-981-oidc-split-urls
Open

Support split OIDC provider URLs#1039
nadaverell wants to merge 1 commit into
mainfrom
issue-981-oidc-split-urls

Conversation

@nadaverell

@nadaverell nadaverell commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Summary

Radar OIDC mode now supports Kubernetes deployments where the browser must use the canonical issuer URL while the Radar pod reaches the identity provider through an internal service URL. This removes the need for hostAliases, loopback proxies, or sidecar forwarding while preserving validation against the canonical token issuer.

Closes #981.

What changed

  • Added OIDC provider metadata resolution that keeps the configured issuer as the canonical issuer for token validation while allowing server-side discovery and endpoints to use internal URLs.
  • Added internalIssuerURL support for the common case where public and internal IdP paths match, deriving internal token/userinfo/JWKS URLs while keeping browser-facing authorization and logout URLs public.
  • Added explicit endpoint overrides for authorization, token, userinfo, and JWKS URLs for Grafana-style configurations where the endpoints cannot be derived from two issuer bases.
  • Exposed the new settings through CLI flags and Helm values/schema/template wiring.
  • Added scripts/test-oidc-split.sh, a local Dex smoke test that blocks public token/JWKS/userinfo endpoints and verifies Radar can still complete login through the internal issuer path.
  • Documented the split public/internal OIDC deployment pattern and added regression coverage for canonical issuer validation, endpoint override behavior, and preserving discovery metadata when overrides are used with an internal issuer.

Testing

  • go test ./internal/auth ./cmd/explorer
  • go test ./internal/server
  • (cd pkg && go test ./auth)
  • helm lint deploy/helm/radar
  • helm template radar deploy/helm/radar with the new OIDC values
  • make test
  • make build
  • bash -n scripts/test-oidc-split.sh
  • ./scripts/test-oidc-split.sh ./radar (Docker Dex split-issuer smoke, 7/7 pass)
  • visual-test skipped: no UI delta

Notes

When explicit endpoint overrides are used without internalIssuerURL, Radar can initialize without discovery, but discovery-provided logout/backchannel metadata is unavailable. Use internalIssuerURL when the provider discovery document is reachable from the pod.


Note

Medium Risk
Touches OIDC login, token exchange, and JWT verification—security-sensitive—but issuer validation is preserved and behavior is additive behind new config flags.

Overview
Adds split public/internal OIDC URLs for in-cluster Radar: browsers keep the canonical issuerURL while the pod can discover and call token, JWKS, and userinfo over internal DNS—without changing token iss validation.

internal/auth/oidc.go now builds provider metadata via custom discovery when any split/override setting is set: optional internalIssuerURL rewrites server-side endpoints and keeps authorization/logout browser-facing; explicit authorizationURL, tokenURL, userInfoURL, and jwksURL overrides skip derivation when paths don't match. Discovery issuer must still report the same canonical issuer as configured.

New CLI flags, Helm values/schema/deployment args, and docs/authentication.md document the pattern. Unit tests cover internal issuer, overrides, and discovery-free explicit endpoints. scripts/test-oidc-split.sh is a Dex-based smoke test that blocks public token/JWKS paths and verifies end-to-end login.

Reviewed by Cursor Bugbot for commit eeddded. Bugbot is set up for automated code reviews on this repo. Configure here.

@nadaverell nadaverell requested a review from hisco as a code owner June 28, 2026 10:21
@nadaverell nadaverell force-pushed the issue-981-oidc-split-urls branch from 7e563e5 to 02b600c Compare June 28, 2026 13:25

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 02b600c. Configure here.

Comment thread internal/auth/oidc.go
metadata.ProviderConfig.IssuerURL = cfg.OIDCIssuer
}

metadata.ProviderConfig.IssuerURL = cfg.OIDCIssuer

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issuer slash mismatch breaks split OIDC

Medium Severity

In the custom OIDC metadata path, discovery issuer validation uses a strict string compare against OIDCIssuer, then forces that configured value as the verifier issuer. When internalIssuerURL or endpoint overrides are set, a trailing-slash mismatch between Helm/docs-style issuerURL and the IdP discovery issuer can fail startup or reject valid ID tokens, unlike the default oidc.NewProvider path.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 02b600c. Configure here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this one is not a bug. Upstream go-oidc has the same behavior: NewProvider trims the configured issuer only to build /.well-known/openid-configuration, then compares the discovered issuer exactly against the configured issuer before constructing the provider. The custom path here is intentionally preserving that exact issuer validation, and replaceOIDCURLBase already trims base URLs for endpoint rewriting so trailing slash differences on internalIssuerURL do not break the derived token/JWKS/userinfo URLs.

@nadaverell nadaverell force-pushed the issue-981-oidc-split-urls branch from 02b600c to eeddded Compare June 28, 2026 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support separate browser-facing and server-side OIDC URLs, similar to Grafana Generic OAuth

1 participant