add: Oidc Connect Discovery

mkleczek · mkleczek · commit bb0eeef5523d · 2026-02-03T06:22:29.000+01:00
diff --git a/postgrest.cabal b/postgrest.cabal
@@ -158,6 +158,8 @@ library
                     , stm-hamt                  >= 1.2 && < 2
                     , focus                     >= 1.0 && < 2
                     , some                      >= 1.0.4.1 && < 2
+                    , oidc-client               >= 0.8.0.0 && < 0.9
+                    , http-client-tls           >= 0.3.6.4 && < 0.4
                       -- -fno-spec-constr may help keep compile time memory use in check,
                       --   see https://gitlab.haskell.org/ghc/ghc/issues/16017#note_219304
                       -- -optP-Wno-nonportable-include-path
diff --git a/src/PostgREST/Config.hs b/src/PostgREST/Config.hs
@@ -67,6 +67,10 @@ import PostgREST.SchemaCache.Identifiers (QualifiedIdentifier (..),
                                           toQi)
 
 import Protolude hiding (Proxy, toList)
+import Web.OIDC.Client (Provider(..), discover)
+import Network.HTTP.Client.TLS (newTlsManager)
+import Network.HTTP.Client (HttpException (InvalidUrlException))
+import Control.Arrow ((***), (&&&))
 
 audMatchesCfg :: AppConfig -> Text -> Bool
 audMatchesCfg =  maybe (const True) (==) . configJwtAudience
@@ -247,6 +251,7 @@ readAppConfig dbSettings optPath prevDbUri roleSettings roleIsolationLvl = do
     decodeLoadFiles parsedConfig = try $
       decodeJWKS =<<
       decodeSecret =<<
+      oidcConnectDiscovery =<<
       readSecretFile =<<
       readDbUriFile prevDbUri parsedConfig
 
@@ -478,6 +483,18 @@ parser optPath env dbSettings roleSettings roleIsolationLvl =
     defaultServerHost :: Maybe Text -> Text
     defaultServerHost = fromMaybe "!4"
 
+oidcConnectDiscovery :: AppConfig -> IO AppConfig
+oidcConnectDiscovery conf = maybe (pure conf) (performDiscovery . decodeUtf8) (configJwtSecret conf)
+  where
+    performDiscovery uri = oidcDiscover uri `catches` [
+      Handler (\case
+        InvalidUrlException _ _ -> pure conf
+        _ -> fail "OIDC discovery failed")
+      ]
+    oidcDiscover uri = do
+      manager <- newTlsManager
+      (Provider _ keys) <- discover uri manager
+      pure $ conf { configJWKS = Just $ JWT.JwkSet keys }
 -- | Read the JWT secret from a file if configJwtSecret is actually a
 -- filepath(has @ as its prefix). To check if the JWT secret is provided is
 -- in fact a file path, it must be decoded as 'Text' to be processed.
