Skip to content

Sync JWKS URI #3009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
h2zh wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Sync JWKS URI #3009

h2zh wants to merge 1 commit into from
+4 −4

Conversation

@h2zh
Copy link
Contributor

@h2zh h2zh commented Jan 20, 2026
edited
Loading

This PR syncs the JWKS URI in federation discovery endpoint /.well-known/pelican-configuration with the JWKS URI in Pelican process' global federation metadata pelican_url.FederationDiscovery

  • Before this PR, the JWKS URI in federation discovery endpoint is just appending /.well-known/pelican-configuration to Director URL, even though the Discovery URL is set. This means the JWKS URI provided by Discovery URL may contain a different set of keys.
    But this may be intentional! Director should advertise its own key endpoint rather than potentially pointing to a different server's JWKS URI.

A quick recap: In discoverFederationImpl func, fedInfo.JwksUri will first fill with the value of the Federation.JwkUrl config param. If it is not set, that function will probe Discovery Endpoint to get the jwks_uri there. At last, if fedInfo.JwksUri is still empty, it will fallbacks to Director's externalUrl + "/.well-known/issuer.jwks"

@h2zh
Sync the JWKS URI
d10bb5a 
- So the JWKS URI federation discovery endpoint and what's in Pelican process' global federation metadata `pelican_url.FederationDiscovery`
- In `discoverFederationImpl`, `fedInfo.JwksUri` will first fill with the value of the `Federation.JwkUrl` config param. If it is not set, that function will probe Discovery Endpoint to get the `jwks_uri` there. At last, if `fedInfo.JwksUri` is still empty, it will fallbacks to Director's externalUrl + "/.well-known/issuer.jwks"
@h2zh h2zh mentioned this pull request Jan 20, 2026
Open
@h2zh h2zh requested review from jhiemstrawisc and removed request for jhiemstrawisc January 20, 2026 19:21
@h2zh h2zh closed this Jan 20, 2026
@jhiemstrawisc
Copy link
Member

jhiemstrawisc commented Jan 21, 2026

I know you closed this, but one thing to consider -- the /.well-known/pelican-configuration path is always meant to be the Pelican Federation's metadata discovery endpoint, and I really do think it should be globally unique. When the Director needs to advertise its own keys, it should do so through the standard OIDC flow, which puts the jwks_uri behind /.well-known/openid-configuration. This lets us keep the two separate so that we can guarantee all copies of /.well-known/pelican-configuration are the same.

@h2zh
Copy link
Contributor Author

h2zh commented Jan 21, 2026

Thanks for the enlightenment @jhiemstrawisc. I think it would be better to reopen this PR and close the other one (#3008)?

@jhiemstrawisc
Copy link
Member

jhiemstrawisc commented Jan 21, 2026

Up to you how you want to resolve things! I'd argue what we're shooting for here is:

  1. If a Director hosts a copy of metadata at /.well-known/pelican-configuration, it should match exactly any metadata hosted at the Federation's discovery URL. I think your other PR takes the right approach in displaying discrepancies without making this the kind of error that prevents you from starting the Director.
  2. Ideally, the Director is going through the same discovery process as anyone else and querying <discoveryUrl>/.well-known/pelican-configuration to make a copy of it directly. The only tricky part might be if the Director has a config like:
Federation:
  DiscoveryUrl: osg-htc.org
  RegistryUrl: some-hostname-different-from-what-gets-discovered-at-osg-htc.org

Since we technically allow admins to overwrite discovered values with whatever they want via config, we should ask whether a configuration like that means a) "Use this different Registry internally, but keep the duplicate fed discovery metadata consistent by using the discovered registry" or does it mean b) "I want to use this Registry and also overwrite the value that gets put into federation metadata discovery. While I'm leaning towards a), I think for now it's better to do b) and present the warning you worked on in #3008 (otherwise you'll have to decouple big sections of code). What do you think?

@h2zh
Copy link
Contributor Author

h2zh commented Jan 22, 2026
edited
Loading

After one day of consideration, my plan is moving forward with both this PR and #3008.

This PR can ensure the same keys are provided via the /.well-known/pelican-configuration endpoints at Director and discovery URL (just like the 1. you mentioned).

And #3008 can warn the Director admin for rare scenarios when they overwrite the config related to the metadata. Beside your example in 2., they can customize the jwks_uri to serve a different set of keys.

Federation:
  JwkUrl: <>

@h2zh h2zh reopened this Jan 22, 2026
@h2zh h2zh requested a review from jhiemstrawisc January 22, 2026 19:33
jhiemstrawisc
jhiemstrawisc requested changes Jan 28, 2026
View reviewed changes
director/discovery.go
log.Error("Bad server configuration: fail to generate JwksUri: ", err)
jwksUri := fedInfo.JwksUri
if jwksUri == "" {
log.Error("Bad server configuration: fail to get JwksUri: ", err)
Copy link
Member

@jhiemstrawisc jhiemstrawisc Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two comments here:

  1. I don't think you want to provide this err here because it's coming from the previous registryUrl, err := url.Parse(registryUrlStr) and should thus always be nil
  2. I think we should avoid using the internal variable name JwksUri here. Instead, can you say something like Bad server configuration: Director is missing federation keys (\"jwks_uri\")? I like this a little better because someone who looks at the metadata JSON will see jwks_uri, not JwksUri.

director/discovery.go
ctx.JSON(http.StatusInternalServerError, server_structs.SimpleApiResp{
Status: server_structs.RespFailed,
Msg: "Bad server configuration: JwksUri is not valid",
Msg: "Bad server configuration: unable to get JwksUri",
Copy link
Member

@jhiemstrawisc jhiemstrawisc Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whatever phrasing you end up landing on for the previous comment, can you use the same phrasing between these two messages?

director/discovery.go
if err != nil {
log.Error("Bad server configuration: fail to generate JwksUri: ", err)
jwksUri := fedInfo.JwksUri
if jwksUri == "" {
Copy link
Member

@jhiemstrawisc jhiemstrawisc Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I almost wonder if this should be an error that prevents the Director from starting -- if there's no jwks_uri, can the federation function at all? I'll let you decide how far you want to chase it.

@h2zh h2zh self-assigned this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhiemstrawisc jhiemstrawisc jhiemstrawisc requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@h2zh h2zh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h2zh @jhiemstrawisc