OIDC auto discovery always disabled due to Helm chart

Question

OIDC auto discovery always disabled due to Helm chart

michaelvl opened this issue a year ago · 1 comments

Most of the OIDC related settings are documented as optional, except GPM_OIDC_ISSUER, which is set by the Helm chart value oidc.issuer. Thus a minimal OIDC enabled Helm chart might have the following OIDC values:

oidc:
  enabled: true
  redirectDomain: https://gpm.example.com
  issuer: https://identity-provider.example.com

The (Python version) will do OIDC auto discovery towards the issuer/identity-provider, except if some manual setting have been defined. This is implemented by the following Python code (shortened for clarity):

# app.py:101
    manual_oidc_provider = (
        "GPM_OIDC_AUTHORIZATION_ENDPOINT",
        ...
        "GPM_OIDC_END_SESSION_ENDPOINT",
    )
    if not all(v is None for v in [os.environ.get(x) for x in manual_oidc_provider]):
        # use manual configuration if one of the env vars is set
        provider_metadata = ProviderMetadata(
            issuer=os.environ.get("GPM_OIDC_ISSUER"),
            authorization_endpoint=os.environ.get("GPM_OIDC_AUTHORIZATION_ENDPOINT"),

The test against None means that setting e.g. GPM_OIDC_AUTHORIZATION_ENDPOINT to an empty string, will disable auto discovery and e.g. an empty authorization_endpoint will be configured.

The Helm chart Deployment template sets all environment variables unconditionally:

# chart/templates/deployment.yaml:83
            - name: GPM_OIDC_ISSUER
              value: {{ .Values.config.oidc.issuer }}
            - name: GPM_OIDC_AUTHORIZATION_ENDPOINT
              value: {{ .Values.config.oidc.authorizationEndpoint }}
            - name: GPM_OIDC_JWKS_URI
              value: {{ .Values.config.oidc.jwksURI }}

and since the chart values.yaml have empty defaults, the result is that the deployment is always configured with environment variables with empty strings, effectively always prohibiting OIDC auto discovery because these 'unconfigured' values are not None.

A solution could be to update deployment.yaml to only define environment variables if they have a non-empty value or update the check in app.py to do a boolean check on strings (empty strings being 'False').

Answer 1 · 2024-01-08T15:48:17.000Z

Hi Michael! thanks for the super-complete report and sorry you are having issues with GPM.

A solution could be to update deployment.yaml to only define environment variables if they have a non-empty value or update the check in app.py to do a boolean check on strings (empty strings being 'False').

The right thing is to fix the Helm Chart, we can't know for sure beforehand that all the values must be set and maybe in some cases an empty value is a valid option.

I confirm that this is a bug in the Helm Chart.