diff --git a/base/lasuite/shared-config.yaml b/base/lasuite/shared-config.yaml index 88dbb4d..1a453a1 100644 --- a/base/lasuite/shared-config.yaml +++ b/base/lasuite/shared-config.yaml @@ -35,21 +35,29 @@ data: AWS_DEFAULT_ACL: private --- # ── Hydra OIDC provider endpoints ─────────────────────────────────────────── -# All La Suite apps use mozilla-django-oidc. These vars point to Hydra public -# endpoints via the proxy, so external DOMAIN_SUFFIX URLs work from inside the -# cluster without split-DNS. -# DOMAIN_SUFFIX is substituted by sed at deploy time. +# All La Suite apps use mozilla-django-oidc. +# +# Browser-facing endpoints (authorization, logout) use the public DOMAIN_SUFFIX +# URL so the browser can navigate to the Hydra login page. +# +# Backend-to-backend endpoints (token, userinfo, jwks) use the internal cluster +# service URL so Django never makes TLS connections to the proxy — it bypasses +# the sslip.io certificate entirely. No OIDC_VERIFY_SSL workaround required. +# +# DOMAIN_SUFFIX is substituted at deploy time (browser URLs only). apiVersion: v1 kind: ConfigMap metadata: name: lasuite-oidc-provider namespace: lasuite data: - OIDC_OP_JWKS_ENDPOINT: https://auth.DOMAIN_SUFFIX/.well-known/jwks.json + # Browser navigates to these — must be public HTTPS URLs. OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth - OIDC_OP_TOKEN_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/token - OIDC_OP_USER_ENDPOINT: https://auth.DOMAIN_SUFFIX/userinfo OIDC_OP_LOGOUT_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout + # Django calls these server-side — use internal cluster URL (no TLS required). + OIDC_OP_TOKEN_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/oauth2/token + OIDC_OP_USER_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/userinfo + OIDC_OP_JWKS_ENDPOINT: http://hydra-public.ory.svc.cluster.local:4444/.well-known/jwks.json OIDC_RP_SIGN_ALGO: RS256 OIDC_RP_SCOPES: openid email profile OIDC_VERIFY_SSL: "true"