Use AUTHGEAR_ENDPOINT as Host, AUTHGEAR_ENDPOINT_INTERNAL for connection

louischan-oursky · louischan-oursky · commit a4dcc52d02d0 · 2025-11-28T11:18:33.000+08:00
1. For simplicity, we no longer fetch the discovery document, but fetch
   the JWKs directly.
2. Improve the compatibility by using AUTHGEAR_ENDPOINT as Host,
   AUTHGEAR_ENDPOINT_INTERNAL for connection.
3. Remove the dependency on oauthrelyingpartyutil as this logic is
   uncommon in that package. Instead, the hack is done in
   pkg/portal/session.
diff --git a/.vettedpositions b/.vettedpositions
@@ -317,8 +317,8 @@
 /pkg/lib/session/test/context.go:85:35: requestcontext
 /pkg/lib/workflow/intl_middleware.go:16:41: requestcontext
 /pkg/portal/csp_middleware.go:16:39: requestcontext
-/pkg/portal/session/middleware_session_info.go:54:9: requestcontext
-/pkg/portal/session/middleware_session_info.go:184:36: requestcontext
+/pkg/portal/session/middleware_session_info.go:52:9: requestcontext
+/pkg/portal/session/middleware_session_info.go:193:36: requestcontext
 /pkg/portal/session/middleware_session_required.go:12:38: requestcontext
 /pkg/portal/transport/admin_api_handler.go:39:9: requestcontext
 /pkg/portal/transport/graphql_handler.go:41:29: requestcontext
diff --git a/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc.go b/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strings"
 	"time"
 
 	"github.com/lestrrat-go/jwx/v2/jwk"
@@ -64,25 +63,6 @@ func FetchOIDCDiscoveryDocument(ctx context.Context, client *http.Client, endpoi
 	return &document, nil
 }
 
-func (d *OIDCDiscoveryDocument) WithRewrittenEndpoints(original string, replacement string) *OIDCDiscoveryDocument {
-	cloned := *d
-
-	if strings.Contains(cloned.AuthorizationEndpoint, original) {
-		cloned.AuthorizationEndpoint = strings.ReplaceAll(cloned.AuthorizationEndpoint, original, replacement)
-	}
-	if strings.Contains(cloned.TokenEndpoint, original) {
-		cloned.TokenEndpoint = strings.ReplaceAll(cloned.TokenEndpoint, original, replacement)
-	}
-	if strings.Contains(cloned.UserInfoEndpoint, original) {
-		cloned.UserInfoEndpoint = strings.ReplaceAll(cloned.UserInfoEndpoint, original, replacement)
-	}
-	if strings.Contains(cloned.JWKSUri, original) {
-		cloned.JWKSUri = strings.ReplaceAll(cloned.JWKSUri, original, replacement)
-	}
-
-	return &cloned
-}
-
 func (d *OIDCDiscoveryDocument) MakeOAuthURL(params AuthorizationURLParams) string {
 	return MakeAuthorizationURL(d.AuthorizationEndpoint, params.Query())
 }
diff --git a/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc_test.go b/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc_test.go
diff --git a/pkg/portal/session/middleware_session_info.go b/pkg/portal/session/middleware_session_info.go
@@ -12,15 +12,13 @@ import (
 	"github.com/patrickmn/go-cache"
 
 	"github.com/authgear/authgear-server/pkg/api/model"
-	"github.com/authgear/authgear-server/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil"
 	portalconfig "github.com/authgear/authgear-server/pkg/portal/config"
 	"github.com/authgear/authgear-server/pkg/util/clock"
 	"github.com/authgear/authgear-server/pkg/util/duration"
 )
 
 var simpleCache = cache.New(5*time.Minute, 10*time.Minute)
 
-const cacheKeyOpenIDConfiguration = "openid-configuration"
 const cacheKeyJWKs = "jwks"
 
 type jwtClock struct {
@@ -146,27 +144,38 @@ func (m *SessionInfoMiddleware) getJWKs(ctx context.Context) (jwk.Set, error) {
 		return jwkIface.(jwk.Set), nil
 	}
 
-	endpointStr := m.AuthgearConfig.Endpoint
+	parsedEndpoint, err := url.Parse(m.AuthgearConfig.Endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	// HTTP Host header includes port, so we use .Host
+	httpHostHeader := parsedEndpoint.Host
+
+	connectionEndpoint := parsedEndpoint.String()
 	if m.AuthgearConfig.EndpointInternal != "" {
-		endpointStr = m.AuthgearConfig.EndpointInternal
+		connectionEndpoint = m.AuthgearConfig.EndpointInternal
 	}
 
-	endpoint, err := url.JoinPath(endpointStr, "/.well-known/openid-configuration")
+	jwksURI, err := url.JoinPath(connectionEndpoint, "/oauth2/jwks")
 	if err != nil {
 		return nil, err
 	}
 
-	oidcDiscoveryDocument, err := oauthrelyingpartyutil.FetchOIDCDiscoveryDocument(ctx, m.HTTPClient.Client, endpoint)
+	req, err := http.NewRequestWithContext(ctx, "GET", jwksURI, nil)
 	if err != nil {
 		return nil, err
 	}
-	if m.AuthgearConfig.EndpointInternal != "" {
-		oidcDiscoveryDocument = oidcDiscoveryDocument.WithRewrittenEndpoints(m.AuthgearConfig.Endpoint, m.AuthgearConfig.EndpointInternal)
-	}
+	// This is the most important line.
+	req.Host = httpHostHeader
 
-	simpleCache.Set(cacheKeyOpenIDConfiguration, oidcDiscoveryDocument, 0)
+	resp, err := m.HTTPClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
 
-	jwkSet, err := oidcDiscoveryDocument.FetchJWKs(ctx, m.HTTPClient.Client)
+	jwkSet, err := jwk.ParseReader(resp.Body)
 	if err != nil {
 		return nil, err
 	}
