Not able to add OIDC which does not allow OpenID Connect Discovery

[rohit-patel-tw]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

As per comments in https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/provider_config.go
it says we can use for auth_url and token_url, in case when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery. So, i have tried with below config for external oauth provider, and getting error that issuer url cannot be empty.

{
  "id": "2c48fa02-142b-4ec2-9be5-56ae4d97b05d",
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "reason": "Unable to initialize OpenID Connect Provider: Get \"/.well-known/openid-configuration\": unsupported protocol scheme \"\"",
    "message": "An internal server error occurred, please contact the system administrator"
  },
  "created_at": "2024-04-25T11:34:37.346379Z",
  "updated_at": "2024-04-25T11:34:37.346379Z"
}

It looks like issuer_url is mandatory for generic OIDC. I have tried to perform this with keycloak with individual endpoints, and does work.

Reproducing the bug

1. Run the ory kratos quick start with UI
2. Add a generic OIDC as per below config
3. Sign up using generic OIDC

Relevant configuration

###########################################################################
#######             FOR DEMONSTRATION PURPOSES ONLY                 #######
###########################################################################

version: "3.7"
services:

  ### KRATOS ###
  kratos-migrate:
    image: oryd/kratos:v1.1.0
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - type: volume
        source: kratos-sqlite
        target: /var/lib/sqlite
        read_only: false
      - type: bind
        source: ./config
        target: /etc/config/kratos
    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
    restart: on-failure
    networks:
      - intranet
  kratos-selfservice-ui-node:
    image: oryd/kratos-selfservice-ui-node:v1.1.0
    ports:
      - "4455:4455"
    environment:
      - PORT=4455
      - HYDRA_ADMIN_URL=http://hydra:4445
      - KRATOS_PUBLIC_URL=http://kratos:4433
      - KRATOS_BROWSER_URL=http://127.0.0.1:4433
      - COOKIE_SECRET=changeme
      - CSRF_COOKIE_NAME=cookie_name
      - CSRF_COOKIE_SECRET=changeme
      - DANGEROUSLY_DISABLE_SECURE_CSRF_COOKIES=true
    networks:
      - intranet
    restart: on-failure
  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v1.1.0
    ports:
      - '4433:4433' # public
      - '4434:4434' # admin
    restart: unless-stopped
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
      - LOG_LEVEL=trace
    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
    volumes:
      - type: volume
        source: kratos-sqlite
        target: /var/lib/sqlite
        read_only: false
      - type: bind
        source: ./config
        target: /etc/config/kratos
    networks:
      - intranet

  ### HYDRA ###
  
  hydra:
    image: oryd/hydra:v2.2.0
    ports:
      - "4444:4444" # Public port
      - "4445:4445" # Admin port
      - "5555:5555" # Port for hydra token user
    command: serve -c /etc/config/hydra/hydra.yml all --dev
    volumes:
      - type: volume
        source: hydra-sqlite
        target: /var/lib/sqlite
        read_only: false
      - type: bind
        source: ./config
        target: /etc/config/hydra
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
    restart: unless-stopped
    depends_on:
      - hydra-migrate
    networks:
      - intranet
  hydra-migrate:
    image: oryd/hydra:v2.2.0
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
    command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
    volumes:
      - type: volume
        source: hydra-sqlite
        target: /var/lib/sqlite
        read_only: false
      - type: bind
        source: ./config
        target: /etc/config/hydra
    restart: on-failure
    networks:
      - intranet

networks:
  intranet:
volumes:
  hydra-sqlite:
  kratos-sqlite:

########## kratos.yml
version: v1.1.0

dsn: memory

serve:
  public:
    base_url: http://127.0.0.1:4433
    cors:
      enabled: true
  admin:
    base_url: http://127.0.0.1:4434

selfservice:
  default_browser_return_url: http://127.0.0.1:4455/
  allowed_return_urls:
    - http://127.0.0.1:4455

  methods:
    password:
      enabled: true
      config:
        min_password_length: 6
        identifier_similarity_check_enabled: false
        haveibeenpwned_enabled: false
    oidc:
      config:
        providers:
          - client_id: sandbox_stage
            client_secret: sandbox_stage
            id: u6ZEcp7W
           #have tried both with empty string and deleting the entry completely
            issuer_url: ""
            auth_url: https://stg-id.uaepass.ae/idshub/authorize
            token_url: https://stg-id.uaepass.ae/idshub/token
            label: uea-pass
            mapper_url: https://storage.googleapis.com/bac-gcs-production/0d878eabc6b5fb37a6e1f35ab40c9936c2306fa273c97c452188059e2cbde2ed52bcf11287710f14ab4df68ec8afe1512807ef9d853d71b1ece53fe8656b9497.jsonnet
            provider: generic
            scope:
              - urn:uae:digitalid:profile:general urn:uae:digitalid:profile:general:profileType urn:uae:digitalid:profile:general:unifiedId
            claims_source: userinfo
      enabled: true

  flows:
    error:
      ui_url: http://127.0.0.1:4455/error

    settings:
      ui_url: http://127.0.0.1:4455/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    logout:
      after:
        default_browser_return_url: http://127.0.0.1:4455/login

    login:
      ui_url: http://127.0.0.1:4455/login

    registration:
      ui_url: http://127.0.0.1:4455/registration
      after:
        password:
          hooks:
            - hook: session

log:
  level: trace
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

identity:
  default_schema_id: default
  schemas: 
    - id: default
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

oauth2_provider:
  url: http://hydra:4445

Version

v1.0.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

[jonas-jonas]

This seems to be an issue with the provider, as Kratos needs to fetch the openid configuration from the provider. Unfortunately, your provider doesn't seem to be supplying the file at the usual URLs (such as https://stg-id.uaepass.ae/.well-known/openid-configuration or https://stg-id.uaepass.ae/idshub/.well-known/openid-configuration).

Please talk to the provider on this.

[jonas-jonas]

If your provider is not able to provide the necessary discovery files, please talk to your Ory sales representative or reach out to sales@ory.sh. cc @vinckr