diff --git a/pkg/oidc/client.go b/pkg/oidc/client.go index b6065ec66f..a6fdb6d2a4 100644 --- a/pkg/oidc/client.go +++ b/pkg/oidc/client.go @@ -139,6 +139,11 @@ func (c *oidcClient) lookupWellKnownOpenidConfiguration(ctx context.Context) err algs = append(algs, a) } } + + if c.JWKSOptions.Uri != "" { + p.JwksURI = c.JWKSOptions.Uri + } + c.provider = &p c.algorithms = algs c.remoteKeySet = goidc.NewRemoteKeySet(goidc.ClientContext(ctx, c.httpClient), p.JwksURI) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index cdaa3e81e7..89a57f0924 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -124,6 +124,7 @@ type OIDC struct { } type JWKS struct { + Uri string `yaml:"uri" env:"PROXY_OIDC_JWKS_URI" desc:"An override for the JWKS URI endpoint of the IDP. This is used to fetch the public keys needed to verify JWT access tokens." introductionVersion:"6.2.0"` RefreshInterval uint64 `yaml:"refresh_interval" env:"PROXY_OIDC_JWKS_REFRESH_INTERVAL" desc:"The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP." introductionVersion:"1.0.0"` RefreshTimeout uint64 `yaml:"refresh_timeout" env:"PROXY_OIDC_JWKS_REFRESH_TIMEOUT" desc:"The timeout in seconds for an outgoing JWKS request." introductionVersion:"1.0.0"` RefreshRateLimit uint64 `yaml:"refresh_limit" env:"PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT" desc:"Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud." introductionVersion:"1.0.0"` diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 187e52be6f..c93e30f751 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -51,6 +51,7 @@ func DefaultConfig() *config.Config { TTL: time.Second * 10, }, JWKS: config.JWKS{ + Uri: "", RefreshInterval: 60, // minutes RefreshRateLimit: 60, // seconds RefreshTimeout: 10, // seconds