docs(server): document OIDC fail-fast on undecryptable providers (#98)#107
Merged
Merged
Conversation
Plugwerk 1.0.0 added a fourth PLUGWERK_AUTH_OIDC_* env var as a
production safety net for OIDC encryption-key mismatches:
PLUGWERK_AUTH_OIDC_FAIL_FAST_ON_UNDECRYPTABLE_PROVIDERS (default false)
Default behaviour is unchanged — the server boots, affected providers
are logged at ERROR and skipped, others continue working. With the
flag set to true, the server refuses to start and lists every
affected registrationId, surfacing the misconfiguration in the
deployment pipeline rather than at the user's login button.
server/configuration.mdx:
- One new row in the Optional Environment Variables table, pointing
at the new section anchor #oidc-encryption-key-safety.
- New "OIDC encryption-key safety" section between the existing
"OIDC SSRF guard" section and "Health Checks":
* Context (when the failure happens, why).
* Default behaviour with the actual log-line wording from
DbClientRegistrationRepository / encryptionKeyMismatchMessage.
* Fail-fast behaviour with the actual boot-error wording.
* `:::tip` recommending true for production / false for dev.
* Cross-links to the operator-facing fix path in oidc-providers.
server/oidc-providers.mdx:
- Security and best practices: new bullet recommending fail-fast in
production, with the trade-off explanation, pointing at the
configuration section.
- Troubleshooting: new entry "Sign in with <provider> returns 4xx
but the server is healthy" with the structured ERROR log line,
the two operator fixes (re-enter secret in admin UI / restore
previous encryption key), and a pointer at the fail-fast flag.
All wording is lifted from the actual sources at v1.0.0:
- DbClientRegistrationRepository.kt (boot-failure message + flag
plumbing)
- CryptoDiagnostics.kt (encryptionKeyMismatchMessage helper)
Read for accuracy, not cited (per AGENTS.md no-internal-link rule).
Closes #98
bigpuritz
added
documentation
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #98.
Plugwerk 1.0.0 added
PLUGWERK_AUTH_OIDC_FAIL_FAST_ON_UNDECRYPTABLE_PROVIDERS(defaultfalse) as a production safety net for OIDC encryption-key mismatches. The 1.0.0 release notes (PR #105) call out that the feature exists; this PR is the operator-facing reference for it.Files changed
server/configuration.mdxserver/oidc-providers.mdxWhat the new section covers
false) — boot anyway, log + skip; with the actualCannot decrypt OIDC provider …ERROR-line wording so operators can grep for it.true) — boot refused, every affectedregistrationIdlisted in one shot; with the actualRefusing to start: …boot-failure wording.:::tip— fail-fast in prod (a half-broken login surface is worse than a Kubernetes restart loop), default in dev (one broken provider should not block iteration on others).Source verification
All env-var name, default, and on-the-wire log/error string copy verified against
v1.0.0source:plugwerk-server/.../security/DbClientRegistrationRepository.kt— flag plumbing, boot-failure messageplugwerk-server/.../config/CryptoDiagnostics.kt—encryptionKeyMismatchMessagehelper that builds the ERROR lineSource files read for accuracy, not cited in the docs (per the AGENTS.md no-internal-link rule). Internal-link grep returns 0 hits in the new content.
Note on the issue body
The issue says "covers the #479 leftover from closed issue #88". That predecessor was actually fully delivered by PR #93 — all three
#479SSRF properties (ALLOW_PRIVATE_DISCOVERY_URIS,BLOCKED_HOST_NAMES,BLOCKED_HOST_SUFFIXES) are documented today, with their own dedicated#oidc-ssrf-guardsection. This PR is purely additive — adds the fourthPLUGWERK_AUTH_OIDC_*property and a sibling#oidc-encryption-key-safetysection right next to it.Acceptance criteria from #98
PLUGWERK_AUTH_OIDC_FAIL_FAST_ON_UNDECRYPTABLE_PROVIDERSlisted in the environment-variables reference.PLUGWERK_AUTH_OIDC_*properties documented together (the three SSRF ones were already in main from PR docs(server): document the OIDC SSRF guard env vars (#88) #93; this PR adds the fail-fast one to the same table block).:::tipblock in the new section + best-practices bullet in oidc-providers).Cannot decrypt … PLUGWERK_AUTH_ENCRYPTION_KEYlog line.Test plan
npm run formatcleannpm run format:checkcleannpm run buildclean (32 pages, no drift)#oidc-encryption-key-safetyrendered on/server/configuration//server/oidc-providers/resolve to that anchor#sign-in-with-provider-returns-4xx-but-the-server-is-healthyrendered on/server/oidc-providers//server/configuration/#oidc-encryption-key-safety, verify the:::tipblock renders, the two log-line code blocks read clearly, and the cross-link to/server/oidc-providers/#sign-in-with-provider-returns-4xx-but-the-server-is-healthylands on the new troubleshooting entry