Skip to content

Allow HTTP upstream OIDC issuers for in-cluster dev environments#5787

Merged
ChrisJBurns merged 3 commits into
mainfrom
github-issue-resolution-request
Jul 13, 2026
Merged

Allow HTTP upstream OIDC issuers for in-cluster dev environments#5787
ChrisJBurns merged 3 commits into
mainfrom
github-issue-resolution-request

Conversation

@ChrisJBurns

Copy link
Copy Markdown
Collaborator

Summary

  • The embedded auth server hard-required HTTPS for non-localhost upstream OIDC issuers with no override, making it impossible to federate to an in-cluster dev IdP (e.g. Dex) served over HTTP in a kind/k8s cluster where TLS is not available.
  • Adds a per-upstream insecure_allow_http field to OIDCUpstreamRunConfig so operators can opt in per-upstream rather than only globally.
  • Fixes validateDiscoveryDocument / validateEndpointOrigin — the two remaining enforcement points that previously blocked HTTP endpoints in the discovery document even when the global InsecureAllowHTTP flag was already set.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Changes

File Change
pkg/authserver/config.go Add InsecureAllowHTTP to OIDCUpstreamRunConfig
pkg/authserver/runner/embeddedauthserver.go OR global + per-upstream flag in buildOIDCConfig
pkg/authserver/upstream/oidc.go Thread insecureAllowHTTP through validateDiscoveryDocument and validateEndpointOrigin; allow HTTP endpoints when true
pkg/authserver/upstream/oidc_test.go Update test signatures; add cases for HTTP endpoint allowance with and without the flag

Test plan

  • Ran go test ./pkg/authserver/... — all pass
  • Ran go vet ./pkg/authserver/... — clean
  • Ran task lint — no new warnings
  • Added unit test cases for the new behaviour in TestValidateEndpointOrigin (HTTP allowed with flag, HTTP rejected without) and TestValidateDiscoveryDocument (HTTP discovery doc rejected without flag, allowed with flag)

Does this introduce a user-facing change?

Operators can now set insecure_allow_http: true on an individual OIDC upstream in the authserver RunConfig to federate to a plain-HTTP in-cluster IdP. Default behaviour (HTTPS required) is unchanged.

upstreams:
  - name: dev-idp
    type: oidc
    oidc_config:
      issuer_url: http://dex.my-ns.svc.cluster.local:5556
      insecure_allow_http: true   # dev only

Special notes for reviewers

The global RunConfig.InsecureAllowHTTP already existed and relaxes the authserver's own issuer URL as well as upstream issuer validation — but validateDiscoveryDocument / validateEndpointOrigin were not wired to it, so the discovered HTTP endpoints in the discovery document were still rejected even when the flag was set. This PR closes that gap and adds the per-upstream surface for finer-grained control.

Closes #5776

Generated with Claude Code

Adds per-upstream insecure_allow_http to OIDCUpstreamRunConfig and
threads it through to validateDiscoveryDocument / validateEndpointOrigin,
the two remaining enforcement points that previously blocked HTTP even
when the global or per-upstream flag was set.

The fix has two parts:
- OIDCUpstreamRunConfig.InsecureAllowHTTP (new): per-upstream opt-in
  for plain-HTTP upstream issuers, OR'd with the global
  RunConfig.InsecureAllowHTTP in buildOIDCConfig so either level enables
  the relaxation.
- validateDiscoveryDocument / validateEndpointOrigin now accept an
  insecureAllowHTTP parameter and skip the HTTPS-scheme check when true,
  allowing an in-cluster Dex instance served over HTTP to pass discovery
  document validation.

Closes #5776

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the size/XS Extra small PR: < 100 lines changed label Jul 13, 2026
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added size/S Small PR: 100-299 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Jul 13, 2026
Comment thread pkg/authserver/upstream/oidc.go
tgrunnagle
tgrunnagle previously approved these changes Jul 13, 2026
Mirrors the same per-upstream opt-in added to OIDCUpstreamRunConfig,
so a single OAuth2 upstream can permit plain-HTTP endpoints without
enabling the global InsecureAllowHTTP flag.

Also regenerates swagger docs for the new field.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Jul 13, 2026
@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 63.63636% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.74%. Comparing base (687ce42) to head (19048bb).

Files with missing lines Patch % Lines
pkg/authserver/upstream/oidc.go 55.55% 0 Missing and 4 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5787      +/-   ##
==========================================
- Coverage   70.78%   70.74%   -0.04%     
==========================================
  Files         684      684              
  Lines       69353    69355       +2     
==========================================
- Hits        49091    49067      -24     
- Misses      16654    16695      +41     
+ Partials     3608     3593      -15     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

authserver: opt-in insecure_allow_http for a plain-HTTP upstream OIDC issuer (local/in-cluster dev IdP)

2 participants