docs(server): document the OIDC SSRF guard env vars (#88)#93
Merged
Conversation
Plugwerk 1.0.0-beta.3 added an SSRF guard around OIDC discovery
and stored issuer/endpoint URIs (rejects private/loopback/link-
local/metadata-service hosts at write and read time, with
configurable hostname blocklists and a brute-force escape hatch).
Three new env vars need documentation:
- PLUGWERK_AUTH_OIDC_ALLOW_PRIVATE_DISCOVERY_URIS (default false)
- PLUGWERK_AUTH_OIDC_BLOCKED_HOST_NAMES (replace-only)
- PLUGWERK_AUTH_OIDC_BLOCKED_HOST_SUFFIXES (replace-only)
server/configuration.mdx:
- Three new rows in the Optional Environment Variables table, each
pointing at the new dedicated section via #oidc-ssrf-guard.
- New "OIDC SSRF guard" section after the table:
* Table of what is hardcoded vs configurable (RFC 1918, loopback,
link-local incl. AWS/GCP/Azure metadata, ULA IPv6, IPv4-mapped
IPv6 → all hardcoded; two hostname lists → configurable).
* `:::caution` block on the replace-only semantics — the most
likely operator footgun ("set BLOCKED_HOST_SUFFIXES to my
corporate suffix" silently drops the entire default list).
* Two override examples from the issue (drop `.internal` because
it is legitimate public; add a corporate suffix on top of the
defaults — full union spelled out).
* Escape-hatch sub-block with the literal startup WARN line and
the explicit production-must-stay-false reminder.
server/oidc-providers.mdx:
- Prerequisites: new bullet on the publicly-resolvable issuer host,
pointing at the configuration page for the override surface.
- Local Keycloak `<Aside>`: explicit
`PLUGWERK_AUTH_OIDC_ALLOW_PRIVATE_DISCOVERY_URIS=true` snippet,
with the production reminder.
- Security and best practices: new bullet on the SSRF guard,
explaining the metadata-endpoint threat model so the operator
knows *why* the default is `false`.
- Troubleshooting: new entry "Issuer URI host is blocked" with two
fix paths (public IdP → check the replace-only blocklists; local
IdP → escape hatch).
Property names and defaults verified against the actual source at
v1.0.0-beta.3 (OidcSsrfPolicy.kt) — env var prefix is AUTH_OIDC,
not SECURITY_OIDC as the issue title (now corrected) suggested.
Closes #88
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #88.
Plugwerk 1.0.0-beta.3 added an SSRF guard around OIDC discovery and stored issuer/endpoint URIs. The guard rejects private (RFC 1918), loopback, link-local (incl. AWS/GCP/Azure metadata at
169.254.169.254), and ULA IPv6 hosts at write time and at every registry refresh, plus two configurable hostname blocklists, plus a brute-force escape hatch.The release notes (already shipped in PR #91) call out that the SSRF guard exists. This PR is the operator-facing reference for the three new env vars.
Files changed
server/configuration.mdxserver/oidc-providers.mdx<Aside>, Security best-practices, Troubleshooting — each gets a targeted SSRF-guard pointer to the configuration sectionNo other pages touched.
What the new section covers
:::caution. This is the most likely operator footgun: settingBLOCKED_HOST_SUFFIXESto a corporate suffix silently drops every default. Two override examples (drop a single default; add a corporate suffix on top of the defaults — full union spelled out).ALLOW_PRIVATE_DISCOVERY_URIS=true, plus the production-must-stay-false reminder.Why correct env-var prefix is
PLUGWERK_AUTH_OIDC_*The issue title said
PLUGWERK_SECURITY_OIDC_*; the body saidPLUGWERK_AUTH_OIDC_*. Verified against the actual source atv1.0.0-beta.3:plugwerk-server/.../security/url/OidcSsrfPolicy.kt—@Value("\${plugwerk.auth.oidc.allow-private-discovery-uris:false}")etc.localhost,metadata.google.internal,metadataforBLOCKED_HOST_NAMES,.localhost,.local,.lan,.internalforBLOCKED_HOST_SUFFIXES,falsefor the escape hatch.Issue title was edited to
docs: document PLUGWERK_AUTH_OIDC_* SSRF guard env varsto match. Source files read for accuracy, not cited in the docs (per AGENTS.md no-internal-link rule). Internal-link grep returns 0 hits in the new content.Acceptance criteria from #88
<Aside>in oidc-providers.mdx)Out of scope
oidc-providers.mdxBest practices, the configuration-surface content underconfiguration.mdx. If a dedicated security page is wanted later, this content can be lifted into it without rewriting.Test plan
npm run formatcleannpm run format:checkcleannpm run buildclean (31 pages)#oidc-ssrf-guardrendered on/server/configuration//server/oidc-providers/resolve to that anchor/server/configuration/#oidc-ssrf-guardand verify the:::cautionblock renders, the table looks readable, the twobashexamples render/server/oidc-providers/, verify the Local-Keycloak<Aside>now contains the env-var snippet, Prerequisites + Best-practices + Troubleshooting all carry their new SSRF pointer