envoyproxy/gateway

OIDC SecurityPolicy: failed OIDC discovery returns HTTP 500 on all affected routes

Open

#9,235 创建于 2026年6月16日

在 GitHub 查看
 (1 评论) (5 反应) (0 负责人)Go (802 fork)auto 404
help wantedkind/enhancement

仓库指标

Star
 (2,871 star)
PR 合并指标
 (PR 指标待抓取)

描述

Description:

When a SecurityPolicy configures OIDC by specifying only the issuer (relying on automatic discovery of the remaining endpoints via the provider's /.well-known/openid-configuration document), a failure of that discovery step causes every HTTPRoute protected by that OIDC policy to return HTTP 500 directly.

On large, shared clusters where many routes reference the same issuer, a single discovery failure breaks hundreds of routes simultaneously.

Repro steps:

  • Create one or more OIDC SecurityPolicy resources that specify only provider.issuer (no explicit authorizationEndpoint / tokenEndpoint), targeting HTTPRoutes.
  • Cause OIDC discovery to fail — e.g. the IdP's /.well-known/openid-configuration is temporarily unreachable, returns a non-2xx, times out, or the issuer is briefly misconfigured.
  • Send requests to any HTTPRoute covered by those policies.

Environment:

  • Envoy Gateway version: 1.8.1
  • Kubernetes version: v1.35.5

贡献者指南