envoyproxy/gateway
GitHub で見るOIDC SecurityPolicy: failed OIDC discovery returns HTTP 500 on all affected routes
Open
#9,235 opened on 2026年6月16日
help wantedkind/enhancement
Repository metrics
- Stars
- (2,871 stars)
- PR merge metrics
- (PR metrics pending)
説明
Description:
When a SecurityPolicy configures OIDC by specifying only the issuer (relying on automatic discovery of the remaining endpoints via the provider's /.well-known/openid-configuration document), a failure of that discovery step causes every HTTPRoute protected by that OIDC policy to return HTTP 500 directly.
On large, shared clusters where many routes reference the same issuer, a single discovery failure breaks hundreds of routes simultaneously.
Repro steps:
- Create one or more OIDC SecurityPolicy resources that specify only
provider.issuer(no explicit authorizationEndpoint / tokenEndpoint), targeting HTTPRoutes. - Cause OIDC discovery to fail — e.g. the IdP's
/.well-known/openid-configurationis temporarily unreachable, returns a non-2xx, times out, or the issuer is briefly misconfigured. - Send requests to any HTTPRoute covered by those policies.
Environment:
- Envoy Gateway version: 1.8.1
- Kubernetes version: v1.35.5