OIDC SecurityPolicy.Issuer field stays on in-cluster URL; investigate iss-claim mismatch with Keycloak frontendUrl deployments

[dcmcand]

Context

PR #111 split the SecurityPolicy OIDC endpoint overrides into browser-facing (Authorization, EndSession - public URL via KEYCLOAK_EXTERNAL_URL) and back-channel (Token - in-cluster URL). The Issuer field was deliberately not changed: GetIssuerURL still returns the in-cluster realm URL.

Concern

When Keycloak is configured with a public frontendUrl (recommended for production), it issues tokens with the iss claim set to the public URL. Envoy's SecurityPolicy.spec.oidc.provider.issuer is the in-cluster URL. Whether this is a problem depends on whether Envoy Gateway's OAuth2 filter validates the iss claim against the configured Issuer field. The OAuth2 filter mainly uses Issuer for OIDC discovery, but downstream consumers (e.g., LLM serving pack JWT validation) may compare the iss claim against an expected issuer string.

Investigate

1. Does Envoy Gateway's OAuth2 filter validate `iss` against `provider.issuer` beyond using it for discovery? If yes, a mismatch will fail token validation.
2. Do downstream services that read the `id_token` cookie compare `iss` against an expected value?
3. Should `provider.Issuer` be set from `KEYCLOAK_EXTERNAL_URL` (matching the iss claim Keycloak actually emits), with discovery falling through to the externally-fetched well-known doc?

Acceptance

A clear answer to whether the Issuer field needs to track ExternalURL too, with a test case demonstrating the chosen behavior.

Reference

Surfaced during code review of #111. Validation of the Nebari LLM Serving Pack fresh-install runbook (nebari-dev/nebari-llm-serving-pack#65) is the originating context.

[tylerpotts]

Investigation complete — answer: No, provider.Issuer should not track KEYCLOAK_EXTERNAL_URL. The in-cluster issuer is correct; the mismatch with the public iss claim is invisible to the entire Envoy Gateway OIDC path. References for every claim below (Envoy Gateway pinned to v1.6.3, the version in our go.mod; Envoy pinned to v1.35.0 — the relevant code is unchanged through 1.39-dev).

1. Does Envoy Gateway's OAuth2 filter validate iss beyond discovery? No.

• The issuer is consumed only at control-plane time, to fetch the well-known document, and only when authorizationEndpoint or tokenEndpoint is missing. When both are provided (the operator sets both whenever KEYCLOAK_EXTERNAL_URL is configured), the else branch takes the user-provided values and EG never contacts the issuer: buildOIDCProvider, securitypolicy.go#L1437-L1473 @ v1.6.3. Discovery itself is a plain controller-pod HTTP GET of {issuer}/.well-known/openid-configuration: fetchEndpointsFromIssuer / discoverEndpointsFromIssuer, securitypolicy.go#L1547-L1590.
• The issuer never reaches the data plane: the IR built for the proxy carries only AuthorizationEndpoint, TokenEndpoint, and EndSessionEndpoint — no issuer field (securitypolicy.go#L1483-L1489).
• The Envoy oauth2 filter cannot validate iss even in principle: its config proto contains no issuer field at all (oauth.proto @ v1.35.0 — zero occurrences of "issuer"), and the filter source never inspects the claim; its only JWT decode is an unverified exp read for cookie lifetimes (getExpiresTimeForIdToken, filter.cc#L1073 @ v1.35.0; zero occurrences of "issuer" in the file). What it does validate is the state/CSRF parameters and the HMAC-signed session cookies — see the oauth2 filter docs.
• EG does not enforce the OIDC Discovery issuer-match rule (OpenID Connect Discovery 1.0 §4.3): OpenIDConfig unmarshals only the three endpoint fields — the document's issuer is not even decoded, and validate() checks only that the token/authorization endpoints are non-empty (securitypolicy.go#L1531-L1545). So a public issuer in the document served on the internal URL (Keycloak with frontendUrl/KC_HOSTNAME set returns the public issuer on every interface unless hostname-backchannel-dynamic is enabled — Keycloak hostname guide) is silently accepted.
• For contrast, strict iss enforcement exists only in Envoy's jwt_authn filter, which EG wires exclusively from SecurityPolicy.spec.jwt, never from spec.oidc: the JWT provider's issuer is optional and "If not provided, the JWT issuer is not checked" (jwt_types.go#L40-L43 @ v1.6.3); when set, it must equal the token's iss exactly (jwt_authn config docs: "If a JWT has iss field, it needs to be specified by this field in one of JwtProviders").

2. Do downstream id_token consumers compare iss? The strict ones do, and they're already served correctly.

• The LLM serving pack's key-manager parses the token without signature or issuer validation — "It does NOT validate signatures - Envoy Gateway handles that upstream" (middleware.go#L39-L43 @ 65083a6). No impact.
• The pack's operator generates a spec.jwt SecurityPolicy (Envoy jwt_authn, strict iss equality) with issuer + remoteJWKS from cfg.OIDCIssuerURL (auth.go#L131-L141 @ 65083a6). That value comes from a Helm value or falls back to the issuer-url key of the client Secret (operator-deployment.yaml#L35-L44) — which nebari-operator populates from GetExternalIssuerURL(), i.e. the public URL matching the emitted iss (keycloak.go#L118-L125, stored at keycloak.go#L286-L293).
• Caveat: that Secret key is empty when KEYCLOAK_EXTERNAL_URL is unset, so strict-iss consumers require it to be set.

3. Should provider.Issuer be set from KEYCLOAK_EXTERNAL_URL? No — pure regression.

With KEYCLOAK_EXTERNAL_URL set, both endpoint overrides are present (keycloak.go#L103-L116), so per the EG branch in point 1 the issuer is completely inert — changing it gains nothing. What it would change: in the fallback path (overrides incomplete), discovery would be fetched from the envoy-gateway controller pod against the public URL, reintroducing the public TLS-chain trust and hairpin-routing problems #111 deliberately avoided for the token endpoint.

---

#144 records the decision in code comments + docs and adds the tests required by the acceptance criteria (including the reconciler-level endpoint-split test from #113).