Skip to content

feat: add multi-issuer support based on host header#124

Merged
sylr merged 3 commits intomainfrom
feat/multi-issuers
Mar 2, 2026
Merged

feat: add multi-issuer support based on host header#124
sylr merged 3 commits intomainfrom
feat/multi-issuers

Conversation

@sylr
Copy link
Contributor

@sylr sylr commented Feb 27, 2026

Dynamically select the OIDC issuer from the incoming X-Forwarded-Host (or Host) header, validated against a configured list of trusted issuers. This allows the auth service to serve multiple domains with correct issuer URLs in discovery and token endpoints.

Adds --auth-issuers flag for specifying additional trusted issuer URLs.

@sylr @claude
feat: add multi-issuer support based on host header
dda34d5 
Dynamically select the OIDC issuer from the incoming X-Forwarded-Host
(or Host) header, validated against a configured list of trusted
issuers. This allows the auth service to serve multiple domains with
correct issuer URLs in discovery and token endpoints.

Adds --auth-issuers flag for specifying additional trusted issuer URLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 27, 2026
edited
Loading

Warning

Rate limit exceeded

@sylr has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 2ba6855 and 3c16e43.

📒 Files selected for processing (7)
  • cmd/serve.go
  • pkg/api/module.go
  • pkg/oidc/grant_type_bearer.go
  • pkg/oidc/issuer.go
  • pkg/oidc/module.go
  • pkg/oidc/oidc_test.go
  • pkg/oidc/provider.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/multi-issuers

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

sylr and others added 2 commits February 27, 2026 17:03
@sylr
Debug
4a9f691 
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
@sylr @claude
fix: use dynamic OIDC provider so discovery reads issuer from host
3c16e43 
The previous approach overrode the issuer in context, but ZITADEL's
discovery handler calls config.IssuerFromRequest(r) which invokes the
stored IssuerFromRequest function directly, bypassing context. Switch
from op.NewOpenIDProvider (StaticIssuer) to op.NewDynamicOpenIDProvider
(IssuerFromHost) and rewrite r.Host in chi middleware so ZITADEL
constructs the correct issuer URL per-request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sylr sylr marked this pull request as ready for review March 2, 2026 08:31
@sylr sylr merged commit 424eb83 into main Mar 2, 2026
6 checks passed
@sylr sylr deleted the feat/multi-issuers branch March 2, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gfyrag gfyrag gfyrag approved these changes

Assignees

No one assigned

Labels

build-images

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sylr @gfyrag