envoyproxy/gateway

OIDC SecurityPolicy: failed OIDC discovery returns HTTP 500 on all affected routes

Open

#9235 aperta il 16 giu 2026

Vedi su GitHub
 (1 commento) (5 reazioni) (0 assegnatari)Go (802 fork)auto 404
help wantedkind/enhancement

Metriche repository

Star
 (2871 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Description:

When a SecurityPolicy configures OIDC by specifying only the issuer (relying on automatic discovery of the remaining endpoints via the provider's /.well-known/openid-configuration document), a failure of that discovery step causes every HTTPRoute protected by that OIDC policy to return HTTP 500 directly.

On large, shared clusters where many routes reference the same issuer, a single discovery failure breaks hundreds of routes simultaneously.

Repro steps:

  • Create one or more OIDC SecurityPolicy resources that specify only provider.issuer (no explicit authorizationEndpoint / tokenEndpoint), targeting HTTPRoutes.
  • Cause OIDC discovery to fail — e.g. the IdP's /.well-known/openid-configuration is temporarily unreachable, returns a non-2xx, times out, or the issuer is briefly misconfigured.
  • Send requests to any HTTPRoute covered by those policies.

Environment:

  • Envoy Gateway version: 1.8.1
  • Kubernetes version: v1.35.5

Guida contributor