Requests related to Oauth OIDC Discovery do not include a User-Agent header

[soldenburg-godaddy]

Hello! It seems that requests related to OIDC discovery (i.e. /.well-known/oauth-authorization-server) are not including a User-Agent header. There is also no configuration available to enable setting such a header.

This can be a problem in environments where a WAF is configured to block requests missing such a header.

If this is something open to discussion I would be willing to introduce a PR adding this header in an appropriate manner.

Thanks for your consideration!

[gocamille]

Thanks for the issue report @soldenburg-godaddy! This is a great suggestion to improve WAF compatibility, and we appreciate you raising it!

You're correct that we don't currently set a User-Agent header on OIDC discovery requests. While the specs (RFC 8414, OIDC Discovery) don't mandate this header, we understand it's a practical requirement in environments with WAF rules enabled.

Before implementing, we want to carefully consider the security implications—specifically around version disclosure and client fingerprinting. We're exploring approaches that might include making this configurable, but don't have a concrete implementation or timeline to share yet.

We appreciate your offer to contribute a PR! We'd ask that you hold off until we've aligned internally on the approach—we'll update this issue with guidance once we're ready to accept contributions.

Feel free to subscribe if you'd like to stay updated—we'll post here as our plans take shape.

Thanks again for the thoughtful suggestion!

[soldenburg-godaddy]

Thanks very much @gocamille , will keep eyes on this issue.