fix: use in-cluster URL for server-side OIDC requests #15

Merged

rcsheets merged 1 commit from fix/oidc-internal-url into main

2026-03-22 06:52:29 +00:00

rcsheets commented

2026-03-22 06:51:05 +00:00

Owner

The pod can't reach Keycloak via the external HTTPS URL because
Traefik's TLS cert isn't trusted from inside the cluster. Added
OIDC_INTERNAL_URL for server-side requests (metadata, token exchange,
JWKS) while browser redirects still use the external URL.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

The pod can't reach Keycloak via the external HTTPS URL because Traefik's TLS cert isn't trusted from inside the cluster. Added OIDC_INTERNAL_URL for server-side requests (metadata, token exchange, JWKS) while browser redirects still use the external URL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

rcsheets added 1 commit

2026-03-22 06:51:05 +00:00

fix: use in-cluster URL for server-side OIDC requests 18e7392a2c

The pod can't reach Keycloak via the external HTTPS URL because
Traefik's TLS cert isn't trusted from inside the cluster. Added
OIDC_INTERNAL_URL for server-side requests (metadata, token exchange,
JWKS) while browser redirects still use the external URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pr-reviewer-bot commented

2026-03-22 06:51:08 +00:00

Collaborator

Automated review by pr-reviewer v0.14.1 | Safety Check | anthropic | tracking id r-bf915b-eaa611
This is an AI-generated review and may contain mistakes.

Status: ✅ Completed

✅ Verdict: LGTM — The changes properly separate internal and external OIDC URLs to handle TLS certificate trust issues within the cluster.

Safety Check Review

This PR adds a new configuration option oidc_internal_url to handle OIDC requests from within the Kubernetes cluster using internal URLs while keeping browser redirects on external URLs.

Key changes:

Adds oidc_internal_url configuration option
Uses internal URL for server-side OIDC endpoints (token, userinfo, JWKS)
Keeps authorization URL external for browser redirects
Falls back to external URL if internal URL not configured

No safety concerns identified:

No exposed secrets or credentials
No breaking changes to existing functionality (fallback preserves current behavior)
Logic appears sound for addressing TLS certificate trust issues
No obvious security vulnerabilities introduced

The implementation correctly separates concerns between server-side and client-side OIDC flows.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.14.1 | Safety Check | anthropic | tracking id `r-bf915b-eaa611`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes properly separate internal and external OIDC URLs to handle TLS certificate trust issues within the cluster. ## Safety Check Review This PR adds a new configuration option `oidc_internal_url` to handle OIDC requests from within the Kubernetes cluster using internal URLs while keeping browser redirects on external URLs. **Key changes:** - Adds `oidc_internal_url` configuration option - Uses internal URL for server-side OIDC endpoints (token, userinfo, JWKS) - Keeps authorization URL external for browser redirects - Falls back to external URL if internal URL not configured **No safety concerns identified:** - No exposed secrets or credentials - No breaking changes to existing functionality (fallback preserves current behavior) - Logic appears sound for addressing TLS certificate trust issues - No obvious security vulnerabilities introduced The implementation correctly separates concerns between server-side and client-side OIDC flows.