feat(custom-oidc): support non-standard discovery URLs (#2573)

## What kind of change does this PR introduce?

Feature

## What is the current behavior?

`discoveryUrl` is only validated during provider creation (admin
endpoint)

## What is the new behavior?

use `discoveryUrl` while making the actual OIDC discovery too

## Summary
- Adds `OIDCProviderCache.GetProviderFromURL` so custom OIDC providers
can fetch their discovery document from any URL, not just
`{issuer}/.well-known/openid-configuration`.
- Custom OIDC providers now always route through this path; the URL is
sourced from `CustomOAuthProvider.GetDiscoveryURL()` (which falls back
to the standard path when no override is configured).
- Bounds discovery fetches with a 10s HTTP timeout and verifies the
document's `issuer` matches the configured one before constructing the
provider.

Author: cemalkilic

internal/api/custom_oauth_admin.go

@@ -2,12 +2,9 @@ package api
 
 import (
 	"context"
-	"encoding/json"
-	"io"
 	"net/http"
 	"slices"
 	"strings"
-	"time"
 
 	"github.com/go-chi/chi/v5"
 	popslices "github.com/gobuffalo/pop/v6/slices"
@@ -666,61 +663,34 @@ func validateAuthorizationParams(params map[string]interface{}) error {
 	return nil
 }
 
-// maxDiscoveryResponseSize is the maximum size of an OIDC discovery response body (1 MB).
-const maxDiscoveryResponseSize = 1 << 20
-
-// discoveryFetchTimeout is the timeout for fetching an OIDC discovery document.
-const discoveryFetchTimeout = 10 * time.Second
-
-// fetchAndValidateDiscovery fetches the OIDC discovery document from the
-// provider's discovery URL and validates that it contains the required fields
-// per the OpenID Connect Discovery 1.0 specification. It also verifies that
-// the issuer in the discovery document matches the expected issuer.
+// fetchAndValidateDiscovery fetches the OIDC discovery document via the shared
+// utility, then applies admin-only validation: required fields per the OpenID
+// Connect Discovery 1.0 spec must be present before we persist the document.
+// Returns *models.OIDCDiscovery so the caller can store it directly.
 func fetchAndValidateDiscovery(ctx context.Context, discoveryURL, expectedIssuer string) (*models.OIDCDiscovery, error) {
-	resp, err := utilities.FetchURLWithTimeout(ctx, discoveryURL, discoveryFetchTimeout)
+	doc, err := utilities.FetchAndValidateOIDCDiscovery(ctx, discoveryURL, expectedIssuer)
 	if err != nil {
 		return nil, apierrors.NewBadRequestError(
 			apierrors.ErrorCodeValidationFailed,
-			"Failed to fetch OIDC discovery document from %q: %v", discoveryURL, err,
-		)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery endpoint %q returned HTTP %d, expected 200", discoveryURL, resp.StatusCode,
+			"OIDC discovery from %q failed: %v", discoveryURL, err,
 		)
 	}
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxDiscoveryResponseSize))
-	if err != nil {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"Failed to read OIDC discovery response from %q", discoveryURL,
-		)
-	}
-
-	var discovery models.OIDCDiscovery
-	if err := json.Unmarshal(body, &discovery); err != nil {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery document from %q is not valid JSON", discoveryURL,
-		)
-	}
-
-	// Validate required fields per OpenID Connect Discovery 1.0 spec
+	// Validate required fields per OpenID Connect Discovery 1.0 spec.
+	// Stricter than the runtime path needs — runtime can tolerate missing
+	// fields and surface a less helpful error at login; admin should reject
+	// the configuration up front.
 	var missing []string
-	if discovery.Issuer == "" {
+	if doc.Issuer == "" {
 		missing = append(missing, "issuer")
 	}
-	if discovery.AuthorizationEndpoint == "" {
+	if doc.AuthorizationEndpoint == "" {
 		missing = append(missing, "authorization_endpoint")
 	}
-	if discovery.TokenEndpoint == "" {
+	if doc.TokenEndpoint == "" {
 		missing = append(missing, "token_endpoint")
 	}
-	if discovery.JwksURI == "" {
+	if doc.JwksURI == "" {
 		missing = append(missing, "jwks_uri")
 	}
 	if len(missing) > 0 {
@@ -730,16 +700,17 @@ func fetchAndValidateDiscovery(ctx context.Context, discoveryURL, expectedIssuer
 		)
 	}
 
-	// The issuer in the discovery document MUST exactly match the expected issuer
-	// per OpenID Connect Discovery 1.0, Section 4.3.
-	if discovery.Issuer != expectedIssuer {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery issuer mismatch: discovery document reports %q but expected %q", discovery.Issuer, expectedIssuer,
-		)
-	}
-
-	return &discovery, nil
+	return &models.OIDCDiscovery{
+		Issuer:                 doc.Issuer,
+		AuthorizationEndpoint:  doc.AuthorizationEndpoint,
+		TokenEndpoint:          doc.TokenEndpoint,
+		UserinfoEndpoint:       doc.UserinfoEndpoint,
+		JwksURI:                doc.JwksURI,
+		ScopesSupported:        doc.ScopesSupported,
+		ResponseTypesSupported: doc.ResponseTypesSupported,
+		GrantTypesSupported:    doc.GrantTypesSupported,
+		SubjectTypesSupported:  doc.SubjectTypesSupported,
+	}, nil
 }
 
 // validateAttributeMapping ensures no sensitive system fields are targeted

internal/api/external.go

@@ -690,8 +690,7 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 	config := a.config
 	var pConfig conf.OAuthProviderConfiguration
 
-	// Build the redirect URL
-	redirectURL := config.API.ExternalURL + "/callback"
+	redirectURL := strings.TrimRight(config.API.ExternalURL, "/") + "/callback"
 
 	// Parse scopes (space-separated per RFC 6749)
 	var scopeList []string
@@ -765,14 +764,14 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 	}
 
 	// Create custom OIDC provider instance
-	// oidc.NewProvider() will automatically fetch discovery document
 	p, err := provider.NewCustomOIDCProvider(
 		ctx,
 		customProvider.ClientID,
 		clientSecret,
 		redirectURL,
 		scopeList,
 		*customProvider.Issuer,
+		customProvider.GetDiscoveryURL(),
 		customProvider.PKCEEnabled,
 		customProvider.AcceptableClientIDs,
 		customProvider.AttributeMapping,

internal/api/provider/custom_oauth.go

@@ -110,12 +110,16 @@ type CustomOIDCProvider struct {
 	authorizationParams map[string]interface{}
 }
 
-// NewCustomOIDCProvider creates a new custom OIDC provider
+// NewCustomOIDCProvider creates a new custom OIDC provider.
+// discoveryURL is the URL to fetch the OIDC discovery document from
+// (typically {issuer}/.well-known/openid-configuration, or an admin-configured
+// override).
 func NewCustomOIDCProvider(
 	ctx context.Context,
 	clientID, clientSecret, redirectURL string,
 	scopes []string,
 	issuer string,
+	discoveryURL string,
 	pkceEnabled bool,
 	acceptableClientIDs []string,
 	attributeMapping, authorizationParams map[string]interface{},
@@ -133,8 +137,7 @@ func NewCustomOIDCProvider(
 		scopes = append([]string{"openid"}, scopes...)
 	}
 
-	// Create OIDC provider - uses cache to avoid redundant discovery fetches
-	oidcProvider, err := cache.GetProvider(ctx, issuer)
+	oidcProvider, err := cache.GetProviderFromURL(ctx, issuer, discoveryURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create OIDC provider: %w", err)
 	}

internal/api/provider/custom_oauth_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -274,11 +275,12 @@ func TestNewCustomOIDCProvider(t *testing.T) {
 		"https://myapp.com/callback",
 		[]string{"profile", "email"}, // Without openid
 		server.URL, // issuer
+		server.URL + "/.well-known/openid-configuration",
 		true, // PKCE enabled
 		[]string{"ios-client", "android-client"},
 		map[string]interface{}{"email": "user_email"},
 		map[string]interface{}{"prompt": "consent"},
-		NewOIDCProviderCache(0),
+		newTestOIDCProviderCache(t, 0),
 	)
 
 	require.NoError(t, err)
@@ -403,6 +405,7 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 		"https://myapp.com/callback",
 		[]string{"openid", "profile"},
 		server.URL, // issuer
+		server.URL + "/.well-known/openid-configuration",
 		false,
 		nil,
 		nil,
@@ -412,7 +415,7 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 			"ui_locales": "en",
 			"login_hint": "user@example.com",
 		},
-		NewOIDCProviderCache(0),
+		newTestOIDCProviderCache(t, 0),
 	)
 
 	require.NoError(t, err)
@@ -431,6 +434,48 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 	assert.Contains(t, authURL, "login_hint=user")
 }
 
+func TestNewCustomOIDCProvider_CustomDiscoveryURL(t *testing.T) {
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/custom-discovery":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"issuer":                 server.URL,
+				"authorization_endpoint": server.URL + "/custom-authorize",
+				"token_endpoint":         server.URL + "/custom-token",
+				"userinfo_endpoint":      server.URL + "/custom-userinfo",
+				"jwks_uri":               server.URL + "/jwks",
+			})
+		case "/jwks":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{"keys": []interface{}{}})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	p, err := NewCustomOIDCProvider(
+		context.Background(),
+		"test-client-id",
+		"test-secret",
+		"https://myapp.com/callback",
+		[]string{"openid"},
+		server.URL,
+		server.URL+"/custom-discovery",
+		false,
+		nil, nil, nil,
+		newTestOIDCProviderCache(t, time.Hour),
+	)
+	require.NoError(t, err)
+	require.NotNil(t, p)
+
+	assert.Equal(t, server.URL+"/custom-authorize", p.config.Endpoint.AuthURL)
+	assert.Equal(t, server.URL+"/custom-token", p.config.Endpoint.TokenURL)
+	assert.Equal(t, server.URL+"/custom-userinfo", p.userinfoEndpoint)
+}
+
 func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 	// Mock OIDC provider server
 	var server *httptest.Server
@@ -461,11 +506,12 @@ func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 			"https://myapp.com/callback",
 			[]string{"openid"},
 			server.URL, // issuer
+			server.URL + "/.well-known/openid-configuration",
 			true, // PKCE enabled
 			nil,
 			nil,
 			nil,
-			NewOIDCProviderCache(0),
+			newTestOIDCProviderCache(t, 0),
 		)
 
 		require.NoError(t, err)
@@ -481,11 +527,12 @@ func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 			"https://myapp.com/callback",
 			[]string{"openid"},
 			server.URL, // issuer
+			server.URL + "/.well-known/openid-configuration",
 			false, // PKCE disabled
 			nil,
 			nil,
 			nil,
-			NewOIDCProviderCache(0),
+			newTestOIDCProviderCache(t, 0),
 		)
 
 		require.NoError(t, err)