Commit 6cad0b5

authored

Fix OAuth issuer discovery to comply with RFC 8414 and RFC 9728 (#1839)

- Add support for RFC 9728 Protected Resource Metadata discovery - Fix issuer detection to properly handle cases where the metadata URL differs from the actual issuer (e.g., Stripe's case) - Add resource_metadata parameter parsing from WWW-Authenticate header - Implement FetchResourceMetadata to retrieve protected resource metadata - Add ValidateAndDiscoverAuthServer to handle issuer validation and discovery - Update OAuth flow to use pre-discovered endpoints when available - Fix DeriveIssuerFromRealm to validate realm as a proper HTTPS URL - Add DiscoverActualIssuer in OIDC package to handle issuer mismatch cases - Add workaround for resource metadata that incorrectly lists authorization servers that don't match the actual issuer (validates each server and uses the discovered issuer) - Update tests to reflect the new DeriveIssuerFromRealm function behavior This fixes the bug where issuer detection was incorrectly trying to derive the issuer from the remote URL instead of using the realm parameter or fetching resource metadata as specified in the RFCs. The implementation now properly handles edge cases like Stripe's where the resource metadata URL hosts the authorization server metadata but the actual issuer identifier is different. Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

1 parent 16d75ce commit 6cad0b5Copy full SHA for 6cad0b5

5 files changed

+839

-124

lines changed

pkg
- auth
  - discovery
  - oauth
    - oidc.go
- runner
  - remote_auth.go

5 files changed

+839

-124

lines changed

Comments

(0)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit 6cad0b5

5 files changed

5 files changed

File tree

5 files changed

5 files changed

0 commit comments