Skip to content

Add OAuth 2.0 Protected Resource Metadata endpoint to Connect API #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mattbates wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add OAuth 2.0 Protected Resource Metadata endpoint to Connect API #92

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a2c47db
add OIDC discovery endpoint route and cluster
mattbates Feb 3, 2026
87c9e01
Merge branch 'main' into mb/add-oidc-discovery-endpoint
mattbates Feb 3, 2026
fa591b7
serve RFC 9728 OAuth 2.0 Protected Resource Metadata endpoint
mattbates Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/cofide-connect/templates/configmap-envoy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ data:
filter_chain_match:
application_protocols:
- h2
- http/1.1
server_names:
- connect.{{ .Values.connect.urlBase }}
transport_socket:
Expand All @@ -96,6 +97,7 @@ data:
common_tls_context:
alpn_protocols:
- h2
- http/1.1
tls_certificates:
- certificate_chain:
filename: /etc/envoy/tls/tls.crt
Expand Down Expand Up @@ -128,6 +130,27 @@ data:
allow_credentials: true
max_age: "7200"
routes:
- match:
path: "/.well-known/oauth-protected-resource"
direct_response:
status: 200
body:
inline_string: |
{
"resource": "https://connect.{{ .Values.connect.urlBase }}",
"authorization_servers": ["{{ .Values.envoy.auth.issuer }}"],
"scopes_supported": ["openid", "profile", "offline_access"],
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The list of supported scopes is currently hardcoded. To improve flexibility and maintainability, consider making this list configurable through values.yaml. You can provide a default list if no configuration is specified.

For example, you could introduce a envoy.auth.scopesSupported value and use Helm's toJson function to render it.

                                      "scopes_supported": {{ .Values.envoy.auth.scopesSupported | default (list "openid" "profile" "offline_access") | toJson }},

Copy link
Member

@yoctozepto yoctozepto Feb 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 (and likely add email to the default)

"bearer_methods_supported": ["header"]
}
response_headers_to_add:
- header:
key: "content-type"
value: "application/json"
# Explicitly disable JWT auth for this public discovery endpoint
typed_per_filter_config:
envoy.filters.http.jwt_authn:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
disabled: true
- match:
prefix: /proto.connect
route:
Expand Down
Loading