Build the OIDC config from same-origin metadata instead of cross-origin discovery

Initiating login awaited an OIDC discovery fetch to the issuer host
(/.well-known/openid-configuration). From a convention page that's a
cross-origin request to the root site — which gets blocked (Brave shields in
production; untrusted self-signed certs in local dev, where it showed up as
`GET 0 /.well-known/openid-configuration`). When it fails, initiateAuthentication
can't build the redirect URL and login wedges — the root of the white screen.

The SPA only needs three things from the issuer: the issuer URL, the
authorization endpoint (to build the redirect) and the end-session endpoint (for
sign-out); token exchange/refresh already go through our own same-origin
/oauth_session/* endpoints. So serve those in /client_configuration (already
fetched same-origin at boot) and construct openid-client's Configuration
directly, dropping the discovery() call entirely. No more cross-origin
dependency in the login path.

The endpoints are built by joining the issuer URL with the route paths, so a
convention page gets the root-site endpoints regardless of which host served the
request.

Tests: openid.test.ts confirms the authorization URL and end-session endpoint
come out of the metadata-built Configuration (no fetch); a client_configuration
controller test confirms the endpoints are served on the issuer host.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: nbudin

app/controllers/client_configuration_controller.rb

@@ -14,6 +14,14 @@ def show
     render json: {
              oauth_frontend_application_uid: Doorkeeper::Application.find_by(is_intercode_frontend: true)&.uid,
              oidc_issuer_url: oidc_issuer_url,
+             # The SPA used to fetch these via the OIDC discovery document, but that's a
+             # cross-origin request to the issuer host (a convention page reaching the root
+             # site), which gets blocked (Brave shields, untrusted dev certs, etc.) and
+             # leaves login hanging. Serving them here — same-origin — removes that
+             # dependency. Built from the issuer URL so they point at the issuer host
+             # rather than whatever convention host is making this request.
+             oidc_authorization_endpoint: oidc_authorization_endpoint,
+             oidc_end_session_endpoint: oidc_end_session_endpoint,
              rails_default_active_storage_service_name: Rails.application.config.active_storage.service.to_s,
              rails_direct_uploads_url: rails_direct_uploads_url,
              recaptcha_site_key: Recaptcha.configuration.site_key,
@@ -22,4 +30,14 @@ def show
              rollbar_client_access_token: ENV["ROLLBAR_CLIENT_ACCESS_TOKEN"].presence
            }
   end
+
+  private
+
+  def oidc_authorization_endpoint
+    URI.join(oidc_issuer_url, oauth_authorization_path).to_s
+  end
+
+  def oidc_end_session_endpoint
+    URI.join(oidc_issuer_url, destroy_user_session_path).to_s
+  end
 end

app/javascript/AppContexts.ts

@@ -10,6 +10,8 @@ import AuthenticityTokensManager from 'AuthenticityTokensContext';
 export type ClientConfiguration = {
   oauth_frontend_application_uid: string | null;
   oidc_issuer_url: string | null;
+  oidc_authorization_endpoint: string | null;
+  oidc_end_session_endpoint: string | null;
   rails_default_active_storage_service_name: string;
   rails_direct_uploads_url: string;
   recaptcha_site_key: string | null;

app/javascript/Authentication/authenticationManager.ts

@@ -1,5 +1,5 @@
 import { Configuration } from 'openid-client';
-import { discoverOpenidConfig, generatePKCEChallenge, getAuthorizationRedirectURL } from './openid';
+import { buildOpenidConfig, generatePKCEChallenge, getAuthorizationRedirectURL } from './openid';
 import { createContext } from 'react';
 import * as z from 'zod/mini';
 
@@ -53,6 +53,8 @@ type TokenResponseBody = {
 export class AuthenticationManager {
   clientId?: string;
   issuerUrl?: string;
+  authorizationEndpoint?: string;
+  endSessionEndpoint?: string;
   openidConfig?: Configuration;
   currentLoginFlowData?: LoginFlowData;
   jwtToken?: string;
@@ -99,7 +101,15 @@ export class AuthenticationManager {
       throw new Error('OAuth client ID not configured');
     }
 
-    this.openidConfig = await discoverOpenidConfig(this.clientId, this.issuerUrl);
+    if (!this.issuerUrl) {
+      throw new Error('OIDC issuer URL not configured');
+    }
+
+    this.openidConfig = buildOpenidConfig(this.clientId, {
+      issuer: this.issuerUrl,
+      authorizationEndpoint: this.authorizationEndpoint,
+      endSessionEndpoint: this.endSessionEndpoint,
+    });
     return this.openidConfig;
   }
 

app/javascript/Authentication/openid.ts

@@ -1,5 +1,4 @@
 import {
-  discovery,
   buildAuthorizationUrl,
   Configuration,
   randomPKCECodeVerifier,
@@ -12,13 +11,28 @@ export type PKCEChallengeData = {
   state: string;
 };
 
-export async function discoverOpenidConfig(clientId: string, issuerUrl?: string): Promise<Configuration> {
-  const issuer = new URL(issuerUrl ?? window.location.href);
-  issuer.pathname = '/';
-  issuer.search = '';
-  issuer.hash = '';
-  const config = await discovery(issuer, clientId);
-  return config;
+export type OpenidServerMetadata = {
+  issuer: string;
+  authorizationEndpoint?: string;
+  endSessionEndpoint?: string;
+};
+
+// Build the openid-client Configuration from metadata we already have (delivered
+// same-origin via /client_configuration) rather than fetching the OIDC discovery
+// document. Discovery is a cross-origin request to the issuer host, which gets
+// blocked (Brave shields, untrusted dev certs) and silently wedges login. We only
+// need the authorization endpoint (to build the redirect) and the end-session
+// endpoint (for sign-out); token exchange/refresh go through our own same-origin
+// /oauth_session/* endpoints.
+export function buildOpenidConfig(clientId: string, metadata: OpenidServerMetadata): Configuration {
+  return new Configuration(
+    {
+      issuer: metadata.issuer,
+      authorization_endpoint: metadata.authorizationEndpoint,
+      end_session_endpoint: metadata.endSessionEndpoint,
+    },
+    clientId,
+  );
 }
 
 export async function generatePKCEChallenge(): Promise<PKCEChallengeData> {

app/javascript/packs/application.tsx

@@ -62,6 +62,8 @@ const bootstrapPromise: Promise<Bootstrap> = (async () => {
     clientConfiguration.oauth_frontend_application_uid ?? undefined,
   );
   authManager.issuerUrl = clientConfiguration.oidc_issuer_url ?? undefined;
+  authManager.authorizationEndpoint = clientConfiguration.oidc_authorization_endpoint ?? undefined;
+  authManager.endSessionEndpoint = clientConfiguration.oidc_end_session_endpoint ?? undefined;
 
   // Try to redeem the refresh cookie for an access token before we build the
   // Apollo client, so the first GraphQL query goes out authenticated when the

test/controllers/client_configuration_controller_test.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+require "test_helper"
+
+class ClientConfigurationControllerTest < ActionDispatch::IntegrationTest
+  it "serves the OIDC endpoints same-origin so the SPA needn't fetch cross-origin discovery" do
+    get "/client_configuration"
+
+    assert_response :ok
+    config = response.parsed_body
+    issuer = config["oidc_issuer_url"]
+
+    assert issuer.present?, "expected an issuer URL"
+    # Endpoints are absolute URLs on the *issuer* host (not whatever host requested this),
+    # built from the issuer so a convention page gets the root-site endpoints.
+    assert config["oidc_authorization_endpoint"].start_with?(issuer)
+    assert config["oidc_authorization_endpoint"].end_with?("/oauth/authorize")
+    assert config["oidc_end_session_endpoint"].start_with?(issuer)
+    assert config["oidc_end_session_endpoint"].end_with?("/users/sign_out")
+  end
+end

test/javascript/Authentication/openid.test.ts

@@ -0,0 +1,32 @@
+import { buildOpenidConfig, getAuthorizationRedirectURL } from '../../../app/javascript/Authentication/openid';
+
+describe('buildOpenidConfig', () => {
+  const metadata = {
+    issuer: 'https://issuer.example.com/',
+    authorizationEndpoint: 'https://issuer.example.com/oauth/authorize',
+    endSessionEndpoint: 'https://issuer.example.com/users/sign_out',
+  };
+
+  it('builds an authorization redirect URL from metadata, with no discovery fetch', () => {
+    const config = buildOpenidConfig('test-client-id', metadata);
+
+    const url = getAuthorizationRedirectURL(
+      config,
+      { verifier: 'test-verifier', challenge: 'test-challenge', state: 'test-state' },
+      'test-client-id',
+    );
+
+    expect(`${url.origin}${url.pathname}`).toBe('https://issuer.example.com/oauth/authorize');
+    expect(url.searchParams.get('client_id')).toBe('test-client-id');
+    expect(url.searchParams.get('response_type')).toBe('code');
+    expect(url.searchParams.get('code_challenge')).toBe('test-challenge');
+    expect(url.searchParams.get('code_challenge_method')).toBe('S256');
+    expect(url.searchParams.get('nonce')).toBe('test-state');
+  });
+
+  it('exposes the end session endpoint for sign-out', () => {
+    const config = buildOpenidConfig('test-client-id', metadata);
+
+    expect(config.serverMetadata().end_session_endpoint).toBe('https://issuer.example.com/users/sign_out');
+  });
+});