feat(iam): retry OIDC discovery with issuer URL slash variants#2360
Merged
Conversation
GatewayJ
force-pushed
the
feat/oidc
branch
3 times, most recently
from
e5decff to
836a352
Compare
loverustfs
approved these changes
Apr 1, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Improves OIDC provider discovery robustness when the configured issuer differs from the IdP’s canonical issuer only by a trailing slash, by retrying discovery with slash/no-slash issuer variants and returning a more detailed aggregated error when all attempts fail.
Changes:
- Retry
CoreProviderMetadata::discover_asyncusing issuer URL candidates with and without a trailing slash. - Log per-attempt discovery failures and return an aggregated “all variants failed” error message.
- Add unit tests for issuer candidate generation and async validation tests using a minimal local HTTP mock server.
Contributor
|
CLA requirements are satisfied for this pull request. |
Member
Author
|
I have read and agree to the CLA. |
added 3 commits
April 3, 2026 00:12
Made-with: Cursor
- Exit mock thread after idle timeout once at least one request completed - Read HTTP request until header terminator or 8KB cap - Rename request_limit to max_requests; keep absolute 500ms safety cap Made-with: Cursor
Made-with: Cursor
loverustfs
approved these changes
Apr 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Related Issues
2349
Summary of Changes
OIDC provider discovery could fail when the issuer derived from
config_urldiffered from the IdP discovery document’s canonicalissueronly by a trailing slash (common across providers).discover_providernow tries both variants (no trailing slash, then with trailing slash) before failing, logs each failed attempt, and returns an aggregated error when all variants fail. Addedissuer_candidatesunit tests and async tests with a minimal local HTTP mock forvalidate_oidc_provider_config.Checklist
make pre-commitImpact
N/A — no intentional API or configuration breaking changes. Successful discovery still stores the same
CoreProviderMetadataas returned by the IdP; JWT issuer matching vianormalize_issueris unchanged.Additional Notes
Verification (local):
cargo test -p rustfs-iam oidcmake pre-commitwas not run in this session; please rely on CI for fmt/clippy/full tests.Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.