Make the issue optional on upstream OAuth 2.0 providers

Author: sandhose

crates/cli/src/commands/manage.rs

@@ -764,8 +764,10 @@ impl std::fmt::Display for HumanReadable<&UpstreamOAuthProvider> {
         let provider = self.0;
         if let Some(human_name) = &provider.human_name {
             write!(f, "{} ({})", human_name, provider.id)
+        } else if let Some(issuer) = &provider.issuer {
+            write!(f, "{} ({})", issuer, provider.id)
         } else {
-            write!(f, "{} ({})", provider.issuer, provider.id)
+            write!(f, "{}", provider.id)
         }
     }
 }

crates/config/src/sections/upstream_oauth2.rs

@@ -47,6 +47,14 @@ impl ConfigurationSection for UpstreamOAuth2Config {
                 Err(error)
             };
 
+            if !matches!(provider.discovery_mode, DiscoveryMode::Disabled)
+                && provider.issuer.is_none()
+            {
+                return annotate(figment::Error::custom(
+                    "The `issuer` field is required when discovery is enabled",
+                ));
+            }
+
             match provider.token_endpoint_auth_method {
                 TokenAuthMethod::None
                 | TokenAuthMethod::PrivateKeyJwt
@@ -438,7 +446,10 @@ pub struct Provider {
     pub id: Ulid,
 
     /// The OIDC issuer URL
-    pub issuer: String,
+    ///
+    /// This is required if OIDC discovery is enabled (which is the default)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub issuer: Option<String>,
 
     /// A human-readable name for the provider, that will be shown to users
     #[serde(skip_serializing_if = "Option::is_none")]

crates/data-model/src/upstream_oauth2/provider.rs

@@ -219,7 +219,7 @@ pub struct InvalidUpstreamOAuth2TokenAuthMethod(String);
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct UpstreamOAuthProvider {
     pub id: Ulid,
-    pub issuer: String,
+    pub issuer: Option<String>,
     pub human_name: Option<String>,
     pub brand_name: Option<String>,
     pub discovery_mode: DiscoveryMode,

crates/handlers/src/graphql/model/upstream_oauth.rs

@@ -37,8 +37,8 @@ impl UpstreamOAuth2Provider {
     }
 
     /// OpenID Connect issuer URL.
-    pub async fn issuer(&self) -> &str {
-        &self.provider.issuer
+    pub async fn issuer(&self) -> Option<&str> {
+        self.provider.issuer.as_deref()
     }
 
     /// Client ID used for this provider.

crates/handlers/src/upstream_oauth2/cache.rs

@@ -61,10 +61,11 @@ impl<'a> LazyProviderInfos<'a> {
                 }
             };
 
-            let metadata = self
-                .cache
-                .get(self.client, &self.provider.issuer, verify)
-                .await?;
+            let Some(issuer) = &self.provider.issuer else {
+                return Err(DiscoveryError::MissingIssuer);
+            };
+
+            let metadata = self.cache.get(self.client, issuer, verify).await?;
 
             self.loaded_metadata = Some(metadata);
         }
@@ -179,8 +180,13 @@ impl MetadataCache {
                 UpstreamOAuthProviderDiscoveryMode::Disabled => continue,
             };
 
-            if let Err(e) = self.fetch(client, &provider.issuer, verify).await {
-                tracing::error!(issuer = %provider.issuer, error = &e as &dyn std::error::Error, "Failed to fetch provider metadata");
+            let Some(issuer) = &provider.issuer else {
+                tracing::error!(%provider.id, "Provider doesn't have an issuer set, but discovery is enabled!");
+                continue;
+            };
+
+            if let Err(e) = self.fetch(client, issuer, verify).await {
+                tracing::error!(%issuer, error = &e as &dyn std::error::Error, "Failed to fetch provider metadata");
             }
         }
 
@@ -395,7 +401,7 @@ mod tests {
         let clock = MockClock::default();
         let provider = UpstreamOAuthProvider {
             id: Ulid::nil(),
-            issuer: mock_server.uri(),
+            issuer: Some(mock_server.uri()),
             human_name: Some("Example Ltd.".to_owned()),
             brand_name: None,
             discovery_mode: UpstreamOAuthProviderDiscoveryMode::Insecure,

crates/handlers/src/upstream_oauth2/callback.rs

@@ -284,7 +284,7 @@ pub(crate) async fn handler(
         );
 
         let id_token_verification_data = JwtVerificationData {
-            issuer: &provider.issuer,
+            issuer: provider.issuer.as_deref(),
             jwks: jwks.as_ref().unwrap(),
             signing_algorithm: &provider.id_token_signed_response_alg,
             client_id: &provider.client_id,
@@ -350,7 +350,7 @@ pub(crate) async fn handler(
                     lazy_metadata.userinfo_endpoint().await?,
                     token_response.access_token.as_str(),
                     Some(JwtVerificationData {
-                        issuer: &provider.issuer,
+                        issuer: provider.issuer.as_deref(),
                         jwks: &jwks,
                         signing_algorithm,
                         client_id: &provider.client_id,

crates/handlers/src/upstream_oauth2/link.rs

@@ -916,7 +916,7 @@ mod tests {
                 &mut rng,
                 &state.clock,
                 UpstreamOAuthProviderParams {
-                    issuer: "https://example.com/".to_owned(),
+                    issuer: Some("https://example.com/".to_owned()),
                     human_name: Some("Example Ltd.".to_owned()),
                     brand_name: None,
                     scope: Scope::from_iter([OPENID]),

crates/handlers/src/upstream_oauth2/mod.rs

@@ -131,7 +131,6 @@ fn client_credentials_for_provider(
 
             ClientCredentials::SignInWithApple {
                 client_id,
-                audience: provider.issuer.clone(),
                 key,
                 key_id: params.key_id,
                 team_id: params.team_id,

crates/handlers/src/views/login.rs

@@ -398,7 +398,7 @@ mod test {
                 &mut rng,
                 &state.clock,
                 UpstreamOAuthProviderParams {
-                    issuer: "https://first.com/".to_owned(),
+                    issuer: Some("https://first.com/".to_owned()),
                     human_name: Some("First Ltd.".to_owned()),
                     brand_name: None,
                     scope: [OPENID].into_iter().collect(),
@@ -438,7 +438,7 @@ mod test {
                 &mut rng,
                 &state.clock,
                 UpstreamOAuthProviderParams {
-                    issuer: "https://second.com/".to_owned(),
+                    issuer: Some("https://second.com/".to_owned()),
                     human_name: None,
                     brand_name: None,
                     scope: [OPENID].into_iter().collect(),

crates/oidc-client/src/error.rs

@@ -55,6 +55,11 @@ pub enum DiscoveryError {
     /// An error occurred validating the metadata.
     Validation(#[from] ProviderMetadataVerificationError),
 
+    /// The provider doesn't have an issuer set, which is required if discovery
+    /// is enabled.
+    #[error("Provider doesn't have an issuer set")]
+    MissingIssuer,
+
     /// Discovery is disabled for this provider.
     #[error("Discovery is disabled for this provider")]
     Disabled,