testing oidc bug

2025-12-21 13:40:31 -06:00 · 2025-10-27 17:21:55 +05:30 · 2025-10-27 16:07:28 +05:30
5 changed files with 11 additions and 1 deletions
--- a/apps/web/lib/constants.ts
+++ b/apps/web/lib/constants.ts
@@ -49,6 +49,7 @@ export const AZUREAD_TENANT_ID = env.AZUREAD_TENANT_ID;
 export const OIDC_CLIENT_ID = env.OIDC_CLIENT_ID;
 export const OIDC_CLIENT_SECRET = env.OIDC_CLIENT_SECRET;
 export const OIDC_ISSUER = env.OIDC_ISSUER;
+export const OIDC_ISSUER_INTERNAL = env.OIDC_ISSUER_INTERNAL;
 export const OIDC_DISPLAY_NAME = env.OIDC_DISPLAY_NAME;
 export const OIDC_SIGNING_ALGORITHM = env.OIDC_SIGNING_ALGORITHM;

--- a/apps/web/lib/env.ts
+++ b/apps/web/lib/env.ts
@@ -52,6 +52,7 @@ export const env = createEnv({
    OIDC_CLIENT_SECRET: z.string().optional(),
    OIDC_DISPLAY_NAME: z.string().optional(),
    OIDC_ISSUER: z.string().optional(),
+    OIDC_ISSUER_INTERNAL: z.string().optional(),
    OIDC_SIGNING_ALGORITHM: z.string().optional(),
    OPENTELEMETRY_LISTENER_URL: z.string().optional(),
    REDIS_URL:
@@ -182,6 +183,7 @@ export const env = createEnv({
    OIDC_CLIENT_SECRET: process.env.OIDC_CLIENT_SECRET,
    OIDC_DISPLAY_NAME: process.env.OIDC_DISPLAY_NAME,
    OIDC_ISSUER: process.env.OIDC_ISSUER,
+    OIDC_ISSUER_INTERNAL: process.env.OIDC_ISSUER_INTERNAL,
    OIDC_SIGNING_ALGORITHM: process.env.OIDC_SIGNING_ALGORITHM,
    REDIS_URL: process.env.REDIS_URL,
    PASSWORD_RESET_DISABLED: process.env.PASSWORD_RESET_DISABLED,
--- a/apps/web/modules/auth/lib/authOptions.ts
+++ b/apps/web/modules/auth/lib/authOptions.ts
@@ -31,6 +31,7 @@ import { handleSsoCallback } from "@/modules/ee/sso/lib/sso-handlers";
 import { createBrevoCustomer } from "./brevo";

 export const authOptions: NextAuthOptions = {
+  debug: true,
  providers: [
    CredentialsProvider({
      id: "credentials",
--- a/apps/web/modules/ee/sso/lib/providers.ts
+++ b/apps/web/modules/ee/sso/lib/providers.ts
@@ -14,6 +14,7 @@ import {
  OIDC_CLIENT_SECRET,
  OIDC_DISPLAY_NAME,
  OIDC_ISSUER,
+  OIDC_ISSUER_INTERNAL,
  OIDC_SIGNING_ALGORITHM,
  WEBAPP_URL,
 } from "@/lib/constants";
@@ -39,7 +40,11 @@ export const getSSOProviders = () => [
    type: "oauth" as const,
    clientId: OIDC_CLIENT_ID || "",
    clientSecret: OIDC_CLIENT_SECRET || "",
-    wellKnown: `${OIDC_ISSUER}/.well-known/openid-configuration`,
+    // Use OIDC_ISSUER_INTERNAL for server-side token validation if set,
+    // otherwise fall back to OIDC_ISSUER (maintains backward compatibility)
+    wellKnown: `${OIDC_ISSUER_INTERNAL || OIDC_ISSUER}/.well-known/openid-configuration`,
+    // Use regular OIDC_ISSUER for authorization (browser redirects)
+    issuer: OIDC_ISSUER,
    authorization: { params: { scope: "openid email profile" } },
    idToken: true,
    client: {
--- a/turbo.json
+++ b/turbo.json
@@ -169,6 +169,7 @@
        "OIDC_CLIENT_SECRET",
        "OIDC_DISPLAY_NAME",
        "OIDC_ISSUER",
+        "OIDC_ISSUER_INTERNAL",
        "OIDC_SIGNING_ALGORITHM",
        "PASSWORD_RESET_DISABLED",
        "PLAYWRIGHT_CI",
Author	SHA1	Message	Date
pandeymangg	37e5246cc5	testing oidc bug	2025-10-27 17:21:55 +05:30
pandeymangg	72767e9336	testing oidc bug	2025-10-27 16:07:28 +05:30