SQLpage icon indicating copy to clipboard operation
SQLpage copied to clipboard
verified publisher icon lovasoa

Manual setting for OIDC discovery URL

Open narolinus opened this issue 4 months ago • 5 comments

My OIDC-Provider that is not fully compliant with the standard. This means, they are missing some fields from the .well-known/openid-configuration. Specifically, the following fields are missing:

subject_types_supported and id_token_signing_alg_values_supported.

They offer another, more compliant URL under /auth/public/.well-known/openid-configuration. However the issuer which is the server name stays the same. Therefore I cannot use it with SQLpage as it yields a validation mismatch.

Ideally, there would be a way to manually configure the discovery URL (or more parameters).

narolinus avatar Aug 11 '25 12:08 narolinus

Hello! I think the best course of action is to fix this in the oidc provider, not in SQLPage. If the oidc provider is unresponsive, you can host a /.well-known/openid-configuration.sql on your own server, where you set each field the way you need.

lovasoa avatar Aug 11 '25 13:08 lovasoa

By the way, which oidc provider is this?

lovasoa avatar Aug 11 '25 13:08 lovasoa

The Provider is IServ. It is a major player in german schools. Their servers are on-premise or cloud hosted. We got the on-premise solution, but we are not the direct customer. This is the city IT. Therefore debugging is often a nightmare and we are often need to work politics. It's quite complicated. Back to topic.

Won't "/.well-known/openid-configuration.sql on your own server" fail validation? Or does SQLPage pick up the settings from that file and use those to connect to the real issuer?

narolinus avatar Aug 11 '25 16:08 narolinus

the oidc config file can be hosted anywhere, as far as I know

lovasoa avatar Aug 11 '25 20:08 lovasoa

No. That does not work, as I expected. It fails with a validation error.

Aug 13 12:53:02 schule sqlpage[1696694]: [2025-08-13T10:53:02.044Z ERROR sqlpage] Failed to discover OIDC provider metadata Aug 13 12:53:02 schule sqlpage[1696694]:
Aug 13 12:53:02 schule sqlpage[1696694]: Caused by: Aug 13 12:53:02 schule sqlpage[1696694]: Validation error: unexpected issuer URI https://<issuer> (expected https://<external-server>)

That would have been a great workaround. Unfortunately, that's how it remains. It would be great if one could at least set the discovery URL and issuer URL independently, so one could bypass providers that don't behave correctly.

narolinus avatar Aug 13 '25 10:08 narolinus