envoyproxy/gateway

OIDC SecurityPolicy: failed OIDC discovery returns HTTP 500 on all affected routes

Open

#9,235 建立於 2026年6月16日

在 GitHub 查看
 (1 留言) (5 反應) (0 負責人)Go (802 fork)auto 404
help wantedkind/enhancement

倉庫指標

Star
 (2,871 star)
PR 合併指標
 (PR 指標待抓取)

描述

Description:

When a SecurityPolicy configures OIDC by specifying only the issuer (relying on automatic discovery of the remaining endpoints via the provider's /.well-known/openid-configuration document), a failure of that discovery step causes every HTTPRoute protected by that OIDC policy to return HTTP 500 directly.

On large, shared clusters where many routes reference the same issuer, a single discovery failure breaks hundreds of routes simultaneously.

Repro steps:

  • Create one or more OIDC SecurityPolicy resources that specify only provider.issuer (no explicit authorizationEndpoint / tokenEndpoint), targeting HTTPRoutes.
  • Cause OIDC discovery to fail — e.g. the IdP's /.well-known/openid-configuration is temporarily unreachable, returns a non-2xx, times out, or the issuer is briefly misconfigured.
  • Send requests to any HTTPRoute covered by those policies.

Environment:

  • Envoy Gateway version: 1.8.1
  • Kubernetes version: v1.35.5

貢獻者指南