fix(oidc): add override option for JWKS URI

pkg/oidc/client.go

@@ -100,7 +100,7 @@
 	}
 }
 
 func (c *oidcClient) lookupWellKnownOpenidConfiguration(ctx context.Context) error {
 	c.providerLock.Lock()
 	defer c.providerLock.Unlock()
 	if c.provider == nil {
@@ -139,6 +139,11 @@
 				algs = append(algs, a)
 			}
 		}
+
+		if c.JWKSOptions.Uri != "" {
+			p.JwksURI = c.JWKSOptions.Uri
+		}
+
 		c.provider = &p
 		c.algorithms = algs
 		c.remoteKeySet = goidc.NewRemoteKeySet(goidc.ClientContext(ctx, c.httpClient), p.JwksURI)

services/proxy/pkg/config/config.go

@@ -124,6 +124,7 @@ type OIDC struct {
 }
 
 type JWKS struct {
+	Uri               string `yaml:"uri" env:"PROXY_OIDC_JWKS_URI" desc:"An override for the JWKS URI endpoint of the IDP. This is used to fetch the public keys needed to verify JWT access tokens." introductionVersion:"6.2.0"`
 	RefreshInterval   uint64 `yaml:"refresh_interval" env:"PROXY_OIDC_JWKS_REFRESH_INTERVAL" desc:"The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP." introductionVersion:"1.0.0"`
 	RefreshTimeout    uint64 `yaml:"refresh_timeout" env:"PROXY_OIDC_JWKS_REFRESH_TIMEOUT" desc:"The timeout in seconds for an outgoing JWKS request." introductionVersion:"1.0.0"`
 	RefreshRateLimit  uint64 `yaml:"refresh_limit" env:"PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT" desc:"Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud." introductionVersion:"1.0.0"`

services/proxy/pkg/config/defaults/defaultconfig.go

@@ -51,6 +51,7 @@ func DefaultConfig() *config.Config {
 				TTL:      time.Second * 10,
 			},
 			JWKS: config.JWKS{
+				Uri:               "",
 				RefreshInterval:   60, // minutes
 				RefreshRateLimit:  60, // seconds
 				RefreshTimeout:    10, // seconds