Allow HTTP upstream OIDC issuers for in-cluster dev environments#5787
Merged
Conversation
Adds per-upstream insecure_allow_http to OIDCUpstreamRunConfig and threads it through to validateDiscoveryDocument / validateEndpointOrigin, the two remaining enforcement points that previously blocked HTTP even when the global or per-upstream flag was set. The fix has two parts: - OIDCUpstreamRunConfig.InsecureAllowHTTP (new): per-upstream opt-in for plain-HTTP upstream issuers, OR'd with the global RunConfig.InsecureAllowHTTP in buildOIDCConfig so either level enables the relaxation. - validateDiscoveryDocument / validateEndpointOrigin now accept an insecureAllowHTTP parameter and skip the HTTPS-scheme check when true, allowing an in-cluster Dex instance served over HTTP to pass discovery document validation. Closes #5776 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
tgrunnagle
reviewed
Jul 13, 2026
tgrunnagle
previously approved these changes
Jul 13, 2026
Mirrors the same per-upstream opt-in added to OIDCUpstreamRunConfig, so a single OAuth2 upstream can permit plain-HTTP endpoints without enabling the global InsecureAllowHTTP flag. Also regenerates swagger docs for the new field. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
tgrunnagle
approved these changes
Jul 13, 2026
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5787 +/- ##
==========================================
- Coverage 70.78% 70.74% -0.04%
==========================================
Files 684 684
Lines 69353 69355 +2
==========================================
- Hits 49091 49067 -24
- Misses 16654 16695 +41
+ Partials 3608 3593 -15 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This was referenced Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
insecure_allow_httpfield toOIDCUpstreamRunConfigso operators can opt in per-upstream rather than only globally.validateDiscoveryDocument/validateEndpointOrigin— the two remaining enforcement points that previously blocked HTTP endpoints in the discovery document even when the globalInsecureAllowHTTPflag was already set.Type of change
Changes
pkg/authserver/config.goInsecureAllowHTTPtoOIDCUpstreamRunConfigpkg/authserver/runner/embeddedauthserver.gobuildOIDCConfigpkg/authserver/upstream/oidc.goinsecureAllowHTTPthroughvalidateDiscoveryDocumentandvalidateEndpointOrigin; allow HTTP endpoints when truepkg/authserver/upstream/oidc_test.goTest plan
go test ./pkg/authserver/...— all passgo vet ./pkg/authserver/...— cleantask lint— no new warningsTestValidateEndpointOrigin(HTTP allowed with flag, HTTP rejected without) andTestValidateDiscoveryDocument(HTTP discovery doc rejected without flag, allowed with flag)Does this introduce a user-facing change?
Operators can now set
insecure_allow_http: trueon an individual OIDC upstream in the authserverRunConfigto federate to a plain-HTTP in-cluster IdP. Default behaviour (HTTPS required) is unchanged.Special notes for reviewers
The global
RunConfig.InsecureAllowHTTPalready existed and relaxes the authserver's own issuer URL as well as upstream issuer validation — butvalidateDiscoveryDocument/validateEndpointOriginwere not wired to it, so the discovered HTTP endpoints in the discovery document were still rejected even when the flag was set. This PR closes that gap and adds the per-upstream surface for finer-grained control.Closes #5776
Generated with Claude Code