feat: add --oidc-issuer-url-override flag

Signed-off-by: kahirokunn <[email protected]>

Author: kahirokunn

pkg/cmd/get_token.go

@@ -14,6 +14,7 @@ import (
 // getTokenOptions represents the options for get-token command.
 type getTokenOptions struct {
 	IssuerURL             string
+	IssuerURLOverride     string
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
@@ -26,6 +27,7 @@ type getTokenOptions struct {
 
 func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
+	f.StringVar(&o.IssuerURLOverride, "oidc-issuer-url-override", "", "Override Issuer URL")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
@@ -75,11 +77,12 @@ func (cmd *GetToken) New() *cobra.Command {
 			}
 			in := credentialplugin.Input{
 				Provider: oidc.Provider{
-					IssuerURL:    o.IssuerURL,
-					ClientID:     o.ClientID,
-					ClientSecret: o.ClientSecret,
-					UsePKCE:      o.UsePKCE,
-					ExtraScopes:  o.ExtraScopes,
+					IssuerURL:         o.IssuerURL,
+					IssuerURLOverride: o.IssuerURLOverride,
+					ClientID:          o.ClientID,
+					ClientSecret:      o.ClientSecret,
+					UsePKCE:           o.UsePKCE,
+					ExtraScopes:       o.ExtraScopes,
 				},
 				TokenCacheDir:   o.TokenCacheDir,
 				GrantOptionSet:  grantOptionSet,

pkg/cmd/setup.go

@@ -11,6 +11,7 @@ import (
 // setupOptions represents the options for setup command.
 type setupOptions struct {
 	IssuerURL             string
+	IssuerURLOverride     string
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
@@ -21,6 +22,7 @@ type setupOptions struct {
 
 func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
+	f.StringVar(&o.IssuerURLOverride, "oidc-issuer-url-override", "", "Overrided Issuer URL of the provider")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
@@ -45,13 +47,14 @@ func (cmd *Setup) New() *cobra.Command {
 				return fmt.Errorf("setup: %w", err)
 			}
 			in := setup.Stage2Input{
-				IssuerURL:       o.IssuerURL,
-				ClientID:        o.ClientID,
-				ClientSecret:    o.ClientSecret,
-				ExtraScopes:     o.ExtraScopes,
-				UsePKCE:         o.UsePKCE,
-				GrantOptionSet:  grantOptionSet,
-				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
+				IssuerURL:         o.IssuerURL,
+				IssuerURLOverride: o.IssuerURLOverride,
+				ClientID:          o.ClientID,
+				ClientSecret:      o.ClientSecret,
+				ExtraScopes:       o.ExtraScopes,
+				UsePKCE:           o.UsePKCE,
+				GrantOptionSet:    grantOptionSet,
+				TLSClientConfig:   o.tlsOptions.tlsClientConfig(),
 			}
 			if c.Flags().Lookup("listen-address").Changed {
 				in.ListenAddressArgs = o.authenticationOptions.ListenAddress

pkg/oidc/client/factory.go

@@ -52,6 +52,11 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	}
 
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+
+	if p.IssuerURLOverride != "" {
+		ctx = gooidc.InsecureIssuerURLContext(ctx, p.IssuerURLOverride)
+	}
+
 	provider, err := gooidc.NewProvider(ctx, p.IssuerURL)
 	if err != nil {
 		return nil, fmt.Errorf("oidc discovery error: %w", err)

pkg/oidc/oidc.go

@@ -11,11 +11,12 @@ import (
 
 // Provider represents an OIDC provider.
 type Provider struct {
-	IssuerURL    string
-	ClientID     string
-	ClientSecret string   // optional
-	ExtraScopes  []string // optional
-	UsePKCE      bool     // optional
+	IssuerURL         string
+	IssuerURLOverride string   // optional
+	ClientID          string
+	ClientSecret      string   // optional
+	ExtraScopes       []string // optional
+	UsePKCE           bool     // optional
 }
 
 // TokenSet represents a set of ID token and refresh token.

pkg/usecases/setup/stage2.go

@@ -65,11 +65,13 @@ type stage2Vars struct {
 	ClientID          string
 	Args              []string
 	Subject           string
+	IssuerURLOverride string
 }
 
 // Stage2Input represents an input DTO of the stage2.
 type Stage2Input struct {
 	IssuerURL         string
+	IssuerURLOverride string
 	ClientID          string
 	ClientSecret      string
 	ExtraScopes       []string // optional
@@ -83,11 +85,12 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 	u.Logger.Printf("authentication in progress...")
 	out, err := u.Authentication.Do(ctx, authentication.Input{
 		Provider: oidc.Provider{
-			IssuerURL:    in.IssuerURL,
-			ClientID:     in.ClientID,
-			ClientSecret: in.ClientSecret,
-			ExtraScopes:  in.ExtraScopes,
-			UsePKCE:      in.UsePKCE,
+			IssuerURL:         in.IssuerURL,
+			IssuerURLOverride: in.IssuerURLOverride,
+			ClientID:          in.ClientID,
+			ClientSecret:      in.ClientSecret,
+			ExtraScopes:       in.ExtraScopes,
+			UsePKCE:           in.UsePKCE,
 		},
 		GrantOptionSet:  in.GrantOptionSet,
 		TLSClientConfig: in.TLSClientConfig,
@@ -103,6 +106,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 	v := stage2Vars{
 		IDTokenPrettyJSON: idTokenClaims.Pretty,
 		IssuerURL:         in.IssuerURL,
+		IssuerURLOverride: in.IssuerURLOverride,
 		ClientID:          in.ClientID,
 		Args:              makeCredentialPluginArgs(in),
 		Subject:           idTokenClaims.Subject,
@@ -118,6 +122,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 func makeCredentialPluginArgs(in Stage2Input) []string {
 	var args []string
 	args = append(args, "--oidc-issuer-url="+in.IssuerURL)
+	args = append(args, "--oidc-issuer-url-override="+in.IssuerURL)
 	args = append(args, "--oidc-client-id="+in.ClientID)
 	if in.ClientSecret != "" {
 		args = append(args, "--oidc-client-secret="+in.ClientSecret)