Better support internal oidc config address

Author: alukach

src/stac_auth_proxy/app.py

@@ -69,6 +69,7 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
         private_endpoints=settings.private_endpoints,
         default_public=settings.default_public,
         oidc_config_url=settings.oidc_discovery_url,
+        oidc_config_internal_url=settings.oidc_discovery_internal_url,
     )
 
     return app

src/stac_auth_proxy/config.py

@@ -34,6 +34,7 @@ class Settings(BaseSettings):
     # External URLs
     upstream_url: HttpUrl
     oidc_discovery_url: HttpUrl
+    oidc_discovery_internal_url: Optional[HttpUrl] = None
 
     # Endpoints
     healthz_prefix: str = Field(pattern=_PREFIX_PATTERN, default="/healthz")

src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py

@@ -1,11 +1,10 @@
 """Middleware to enforce authentication."""
 
-import json
 import logging
-import urllib.request
 from dataclasses import dataclass, field
 from typing import Annotated, Optional, Sequence
 
+import httpx
 import jwt
 from fastapi import HTTPException, Request, Security, status
 from pydantic import HttpUrl
@@ -28,7 +27,7 @@ class EnforceAuthMiddleware:
     default_public: bool
 
     oidc_config_url: HttpUrl
-    openid_configuration_internal_url: Optional[HttpUrl] = None
+    oidc_config_internal_url: Optional[HttpUrl] = None
     allowed_jwt_audiences: Optional[Sequence[str]] = None
 
     state_key: str = "user"
@@ -39,18 +38,24 @@ class EnforceAuthMiddleware:
     def __post_init__(self):
         """Initialize the OIDC authentication class."""
         logger.debug("Requesting OIDC config")
-        origin_url = str(self.openid_configuration_internal_url or self.oidc_config_url)
-        with urllib.request.urlopen(origin_url) as response:
-            if response.status != 200:
-                logger.error(
-                    "Received a non-200 response when fetching OIDC config: %s",
-                    response.text,
-                )
-                raise OidcFetchError(
-                    f"Request for OIDC config failed with status {response.status}"
-                )
-            oidc_config = json.load(response)
+        origin_url = str(self.oidc_config_internal_url or self.oidc_config_url)
+
+        try:
+            response = httpx.get(origin_url)
+            response.raise_for_status()
+            oidc_config = response.json()
             self.jwks_client = jwt.PyJWKClient(oidc_config["jwks_uri"])
+        except httpx.HTTPStatusError as e:
+            logger.error(
+                "Received a non-200 response when fetching OIDC config: %s",
+                e.response.text,
+            )
+            raise OidcFetchError(
+                f"Request for OIDC config failed with status {e.response.status_code}"
+            )
+        except httpx.RequestError as e:
+            logger.error("Error fetching OIDC config from %s: %s", origin_url, str(e))
+            raise OidcFetchError(f"Request for OIDC config failed: {str(e)}")
 
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         """Enforce authentication."""