envoyproxy/gateway

OIDC SecurityPolicy: failed OIDC discovery returns HTTP 500 on all affected routes

Open

#9 235 ouverte le 16 juin 2026

Voir sur GitHub
 (1 commentaire) (5 réactions) (0 assignés)Go (802 forks)auto 404
help wantedkind/enhancement

Métriques du dépôt

Stars
 (2 871 stars)
Métriques de merge PR
 (Métriques PR en attente)

Description

Description:

When a SecurityPolicy configures OIDC by specifying only the issuer (relying on automatic discovery of the remaining endpoints via the provider's /.well-known/openid-configuration document), a failure of that discovery step causes every HTTPRoute protected by that OIDC policy to return HTTP 500 directly.

On large, shared clusters where many routes reference the same issuer, a single discovery failure breaks hundreds of routes simultaneously.

Repro steps:

  • Create one or more OIDC SecurityPolicy resources that specify only provider.issuer (no explicit authorizationEndpoint / tokenEndpoint), targeting HTTPRoutes.
  • Cause OIDC discovery to fail — e.g. the IdP's /.well-known/openid-configuration is temporarily unreachable, returns a non-2xx, times out, or the issuer is briefly misconfigured.
  • Send requests to any HTTPRoute covered by those policies.

Environment:

  • Envoy Gateway version: 1.8.1
  • Kubernetes version: v1.35.5

Guide contributeur