studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(lasuite): use internal cluster URLs for OIDC backend endpoints

Browse Source 
Django backends call the OIDC token, userinfo, and JWKS endpoints
server-side. Pointing these at the public auth.DOMAIN_SUFFIX URL caused
an SSLError in pods because mkcert CA certificates are not trusted inside
containers.

Split the configmap entries:
- OIDC_OP_AUTHORIZATION_ENDPOINT and OIDC_OP_LOGOUT_ENDPOINT remain as
  public HTTPS URLs -- the browser navigates to these.
- OIDC_OP_TOKEN_ENDPOINT, OIDC_OP_USER_ENDPOINT, OIDC_OP_JWKS_ENDPOINT
  now point to http://hydra-public.ory.svc.cluster.local:4444 -- Django
  calls these directly, bypassing the proxy and its TLS certificate.

Affects all La Suite apps (docs, people) that use lasuite-oidc-provider.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-03 14:31:21 +00:00
parent 2e89854f86
commit 8113e504ba
1 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
base/lasuite/shared-config.yaml
View File

@@ -35,21 +35,29 @@ data:
AWS_DEFAULT_ACL: private
---
# ── Hydra OIDC provider endpoints ───────────────────────────────────────────
# All La Suite apps use mozilla-django-oidc. These vars point to Hydra public
# endpoints via the proxy, so external DOMAIN_SUFFIX URLs work from inside the
# cluster without split-DNS.
# DOMAIN_SUFFIX is substituted by sed at deploy time.
# All La Suite apps use mozilla-django-oidc.
#
# Browser-facing endpoints (authorization, logout) use the public DOMAIN_SUFFIX
# URL so the browser can navigate to the Hydra login page.
#
# Backend-to-backend endpoints (token, userinfo, jwks) use the internal cluster
# service URL so Django never makes TLS connections to the proxy — it bypasses
# the sslip.io certificate entirely. No OIDC_VERIFY_SSL workaround required.
#
# DOMAIN_SUFFIX is substituted at deploy time (browser URLs only).
apiVersion: v1
kind: ConfigMap
metadata:
name: lasuite-oidc-provider
namespace: lasuite
data:
OIDC_OP_JWKS_ENDPOINT: https://auth.DOMAIN_SUFFIX/.well-known/jwks.json
# Browser navigates to these — must be public HTTPS URLs.
OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth
OIDC_OP_TOKEN_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/token
OIDC_OP_USER_ENDPOINT: https://auth.DOMAIN_SUFFIX/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout
# Django calls these server-side — use internal cluster URL (no TLS required).
OIDC_OP_TOKEN_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/oauth2/token
OIDC_OP_USER_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/userinfo
OIDC_OP_JWKS_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/.well-known/jwks.json
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: openid email profile
OIDC_VERIFY_SSL: "true"