Merge pull request #380 from serverlessworkflow/fix-oidc-discovery

Fixed the OAuth2TokenManager by disabling HTTPS requirements when performing OIDC discovery requests

Author: cdavernas

deployments/docker-compose/docker-compose.build.yml

@@ -13,6 +13,7 @@ services:
       CONNECTIONSTRINGS__REDIS: ${GARNET_URI}
       SYNAPSE_DASHBOARD_SERVE: true
       SYNAPSE_API_AUTH_TOKEN_FILE: /app/tokens.yaml
+      SYNAPSE_API_JWT_AUTHORITY: http://api:8080
     volumes:
       - ./config/tokens.yaml:/app/tokens.yaml
     ports:

deployments/docker-compose/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       CONNECTIONSTRINGS__REDIS: ${GARNET_URI}
       SYNAPSE_DASHBOARD_SERVE: true
       SYNAPSE_API_AUTH_TOKEN_FILE: /app/tokens.yaml
-      SYNAPSE_API_AUTH_AUTHORITY: http://api:8080
+      SYNAPSE_API_JWT_AUTHORITY: http://api:8080
     volumes:
       - ./config/tokens.yaml:/app/tokens.yaml
     ports:

src/api/Synapse.Api.Server/Program.cs

@@ -18,7 +18,7 @@
 var applicationOptions = new ApiServerOptions();
 builder.Configuration.Bind(applicationOptions);
 if (applicationOptions.Authentication.Tokens.Count < 1) throw new Exception("The Synapse API server requires that at least one static user token be configured");
-var authority = builder.Environment.RunsInDocker() || builder.Environment.RunsInKubernetes() ? Environment.GetEnvironmentVariable("SYNAPSE_API_AUTH_AUTHORITY") : null;
+var authority = builder.Environment.RunsInDocker() || builder.Environment.RunsInKubernetes() ? Environment.GetEnvironmentVariable("SYNAPSE_API_JWT_AUTHORITY") : null;
 
 builder.Services.Configure<ApiServerOptions>(builder.Configuration);
 builder.Services.AddResponseCompression();

src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs

@@ -64,8 +64,16 @@ public virtual async Task<OAuth2Token> GetTokenAsync(OAuth2AuthenticationSchemeD
         Uri tokenEndpoint;
         if (configuration is OpenIDConnectSchemeDefinition)
         {
-            var discoveryDocument = await this.HttpClient.GetDiscoveryDocumentAsync(configuration.Authority.OriginalString, cancellationToken).ConfigureAwait(false);
-            if (string.IsNullOrWhiteSpace(discoveryDocument.TokenEndpoint)) throw new NullReferenceException("The token endpoint is not documented by the OIDC discovery document");
+            var discoveryRequest = new DiscoveryDocumentRequest()
+            {
+                Address = configuration.Authority.OriginalString,
+                Policy = new()
+                {
+                    RequireHttps = false
+                }
+            };
+            var discoveryDocument = await this.HttpClient.GetDiscoveryDocumentAsync(discoveryRequest, cancellationToken).ConfigureAwait(false);
+            if (string.IsNullOrWhiteSpace(discoveryDocument.TokenEndpoint)) throw new NullReferenceException($"The token endpoint is not documented by the OIDC discovery document.{(discoveryDocument.IsError ? $" Discovery error [{discoveryDocument.ErrorType}]: {discoveryDocument.Error}" : string.Empty)}");
             tokenEndpoint = new(discoveryDocument.TokenEndpoint!);
         }
         else if (configuration is OAuth2AuthenticationSchemeDefinition oauth2) tokenEndpoint = oauth2.Endpoints.Token;