Doorkeeper: Support HTTP in discovery requests
What does this MR do and why?
We found in #554589 (closed) that when running GitLab over HTTP, OIDC discovery will fail because:
- Client requests the /configuration endpoint over HTTP. This works.
- GitLab responds with an HTTPS jwks_uri back to itself.
- Client requests an HTTPS URL - this will fail.
We should ensure that if clients request HTTP, they should get HTTP URLs in response.
References
- #554589 (closed)
- https://github.com/doorkeeper-gem/doorkeeper-openid_connect?tab=readme-ov-file#configuration
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Run AI gateway with
AIGW_GITLAB_URL=http://<your_instance> - Send request e.g.
curl -v -H'Authorization: Bearer jwt' -H'x-gitlab-authentication-type: oidc' http://localhost:5001/v4/code/completion(token doesn't matter since it never gets to validate it anyway) - AIGW will 500 when trying to resolve
/oauth/discovery/keys
With this MR applied, step 3 should succeed instead.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #554589 (closed)
Edited by Matthias Käppler