Merge pull request #1665 from meridianhub/fix-dex-subdomain

bjcoombs · web-flow · commit 58fd8841a55b · 2026-03-14T12:30:05.000Z
fix: Exempt /dex/ OIDC endpoints from tenant subdomain resolution
diff --git a/shared/platform/gateway/tenant_resolver.go b/shared/platform/gateway/tenant_resolver.go
@@ -67,13 +67,13 @@ type tenantRepository interface {
 }
 
 // platformPaths lists URL path prefixes that operate at the platform level
-// (e.g., tenant creation, listing tenants) and do not require tenant context.
-// Requests matching these prefixes bypass tenant resolution entirely.
-// Both REST (gRPC-Gateway transcoding) and Connect/gRPC paths are listed
-// because the Vanguard transcoder accepts requests in either format.
+// (e.g., tenant creation, identity provider endpoints) and do not require
+// tenant context. Requests matching these prefixes bypass tenant resolution
+// entirely.
 var platformPaths = []string{
 	"/v1/tenants",                        // REST transcoding path
 	"/meridian.tenant.v1.TenantService/", // Connect/gRPC path
+	"/dex/",                              // Embedded OIDC identity provider
 }
 
 // IsPlatformPath returns true if the request path is a platform-level endpoint
diff --git a/shared/platform/gateway/tenant_resolver_test.go b/shared/platform/gateway/tenant_resolver_test.go
@@ -938,6 +938,12 @@ func TestIsPlatformPath(t *testing.T) {
 	assert.True(t, IsPlatformPath("/meridian.tenant.v1.TenantService/CreateTenant"))
 	assert.True(t, IsPlatformPath("/meridian.tenant.v1.TenantService/GetTenant"))
 
+	// Dex OIDC identity provider paths
+	assert.True(t, IsPlatformPath("/dex/auth"))
+	assert.True(t, IsPlatformPath("/dex/callback"))
+	assert.True(t, IsPlatformPath("/dex/keys"))
+	assert.True(t, IsPlatformPath("/dex/token"))
+
 	// Non-platform paths
 	assert.False(t, IsPlatformPath("/v1/accounts"))
 	assert.False(t, IsPlatformPath("/v1/parties"))
