tested edge cases, ack'd PR comments

waleedlatif1 · waleedlatif1 · commit 2c8c116e88e3 · 2026-01-19T19:14:22.000-08:00
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -138,26 +138,23 @@ export async function POST(request: NextRequest) {
         pkce: pkce ?? true,
       }
 
-      const hasExplicitEndpoints = authorizationEndpoint && tokenEndpoint && jwksEndpoint
+      oidcConfig.authorizationEndpoint = authorizationEndpoint
+      oidcConfig.tokenEndpoint = tokenEndpoint
+      oidcConfig.userInfoEndpoint = userInfoEndpoint
+      oidcConfig.jwksEndpoint = jwksEndpoint
 
-      if (hasExplicitEndpoints) {
-        oidcConfig.authorizationEndpoint = authorizationEndpoint
-        oidcConfig.tokenEndpoint = tokenEndpoint
-        oidcConfig.userInfoEndpoint = userInfoEndpoint
-        oidcConfig.jwksEndpoint = jwksEndpoint
+      const needsDiscovery =
+        !oidcConfig.authorizationEndpoint || !oidcConfig.tokenEndpoint || !oidcConfig.jwksEndpoint
 
-        logger.info('Using explicitly provided OIDC endpoints', {
-          providerId,
-          issuer,
-          authorizationEndpoint: oidcConfig.authorizationEndpoint,
-          tokenEndpoint: oidcConfig.tokenEndpoint,
-          userInfoEndpoint: oidcConfig.userInfoEndpoint,
-          jwksEndpoint: oidcConfig.jwksEndpoint,
-        })
-      } else {
+      if (needsDiscovery) {
         const discoveryUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`
         try {
-          logger.info('Fetching OIDC discovery document', { discoveryUrl })
+          logger.info('Fetching OIDC discovery document for missing endpoints', {
+            discoveryUrl,
+            hasAuthEndpoint: !!oidcConfig.authorizationEndpoint,
+            hasTokenEndpoint: !!oidcConfig.tokenEndpoint,
+            hasJwksEndpoint: !!oidcConfig.jwksEndpoint,
+          })
 
           const discoveryResponse = await fetch(discoveryUrl, {
             headers: { Accept: 'application/json' },
@@ -170,39 +167,21 @@ export async function POST(request: NextRequest) {
             })
             return NextResponse.json(
               {
-                error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Status: ${discoveryResponse.status}`,
+                error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Status: ${discoveryResponse.status}. Provide all endpoints explicitly or verify the issuer URL.`,
               },
               { status: 400 }
             )
           }
 
           const discovery = await discoveryResponse.json()
 
-          if (
-            !discovery.authorization_endpoint ||
-            !discovery.token_endpoint ||
-            !discovery.jwks_uri
-          ) {
-            logger.error('OIDC discovery document missing required endpoints', {
-              hasAuthEndpoint: !!discovery.authorization_endpoint,
-              hasTokenEndpoint: !!discovery.token_endpoint,
-              hasJwksUri: !!discovery.jwks_uri,
-            })
-            return NextResponse.json(
-              {
-                error:
-                  'OIDC discovery document is missing required endpoints (authorization_endpoint, token_endpoint, jwks_uri)',
-              },
-              { status: 400 }
-            )
-          }
-
-          oidcConfig.authorizationEndpoint = discovery.authorization_endpoint
-          oidcConfig.tokenEndpoint = discovery.token_endpoint
-          oidcConfig.userInfoEndpoint = discovery.userinfo_endpoint
-          oidcConfig.jwksEndpoint = discovery.jwks_uri
+          oidcConfig.authorizationEndpoint =
+            oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
+          oidcConfig.tokenEndpoint = oidcConfig.tokenEndpoint || discovery.token_endpoint
+          oidcConfig.userInfoEndpoint = oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
+          oidcConfig.jwksEndpoint = oidcConfig.jwksEndpoint || discovery.jwks_uri
 
-          logger.info('Successfully fetched OIDC endpoints from discovery', {
+          logger.info('Merged OIDC endpoints (user-provided + discovery)', {
             providerId,
             issuer,
             authorizationEndpoint: oidcConfig.authorizationEndpoint,
@@ -217,11 +196,44 @@ export async function POST(request: NextRequest) {
           })
           return NextResponse.json(
             {
-              error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Please verify the issuer URL is correct.`,
+              error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Please verify the issuer URL is correct or provide all endpoints explicitly.`,
             },
             { status: 400 }
           )
         }
+      } else {
+        logger.info('Using explicitly provided OIDC endpoints (all present)', {
+          providerId,
+          issuer,
+          authorizationEndpoint: oidcConfig.authorizationEndpoint,
+          tokenEndpoint: oidcConfig.tokenEndpoint,
+          userInfoEndpoint: oidcConfig.userInfoEndpoint,
+          jwksEndpoint: oidcConfig.jwksEndpoint,
+        })
+      }
+
+      if (
+        !oidcConfig.authorizationEndpoint ||
+        !oidcConfig.tokenEndpoint ||
+        !oidcConfig.jwksEndpoint
+      ) {
+        const missing: string[] = []
+        if (!oidcConfig.authorizationEndpoint) missing.push('authorizationEndpoint')
+        if (!oidcConfig.tokenEndpoint) missing.push('tokenEndpoint')
+        if (!oidcConfig.jwksEndpoint) missing.push('jwksEndpoint')
+
+        logger.error('Missing required OIDC endpoints after discovery merge', {
+          missing,
+          authorizationEndpoint: oidcConfig.authorizationEndpoint,
+          tokenEndpoint: oidcConfig.tokenEndpoint,
+          jwksEndpoint: oidcConfig.jwksEndpoint,
+        })
+        return NextResponse.json(
+          {
+            error: `Missing required OIDC endpoints: ${missing.join(', ')}. Please provide these explicitly or verify the issuer supports OIDC discovery.`,
+          },
+          { status: 400 }
+        )
       }
 
       providerConfig.oidcConfig = oidcConfig
diff --git a/packages/db/scripts/register-sso-provider.ts b/packages/db/scripts/register-sso-provider.ts
@@ -391,16 +391,21 @@ async function registerSSOProvider(): Promise<boolean> {
     }
 
     if (ssoConfig.providerType === 'oidc' && ssoConfig.oidcConfig) {
-      const hasAllEndpoints =
-        ssoConfig.oidcConfig.authorizationEndpoint &&
-        ssoConfig.oidcConfig.tokenEndpoint &&
-        ssoConfig.oidcConfig.jwksEndpoint
+      const needsDiscovery =
+        !ssoConfig.oidcConfig.authorizationEndpoint ||
+        !ssoConfig.oidcConfig.tokenEndpoint ||
+        !ssoConfig.oidcConfig.jwksEndpoint
 
-      if (!hasAllEndpoints) {
+      if (needsDiscovery) {
         const discoveryUrl =
           ssoConfig.oidcConfig.discoveryEndpoint ||
           `${ssoConfig.issuer.replace(/\/$/, '')}/.well-known/openid-configuration`
-        logger.info('Fetching OIDC discovery document...', { discoveryUrl })
+        logger.info('Fetching OIDC discovery document for missing endpoints...', {
+          discoveryUrl,
+          hasAuthEndpoint: !!ssoConfig.oidcConfig.authorizationEndpoint,
+          hasTokenEndpoint: !!ssoConfig.oidcConfig.tokenEndpoint,
+          hasJwksEndpoint: !!ssoConfig.oidcConfig.jwksEndpoint,
+        })
 
         try {
           const response = await fetch(discoveryUrl, {
@@ -412,30 +417,24 @@ async function registerSSOProvider(): Promise<boolean> {
               status: response.status,
               statusText: response.statusText,
             })
+            logger.error(
+              'Provide all endpoints explicitly via SSO_OIDC_AUTHORIZATION_ENDPOINT, SSO_OIDC_TOKEN_ENDPOINT, SSO_OIDC_JWKS_ENDPOINT'
+            )
             return false
           }
 
           const discovery = await response.json()
 
-          if (
-            !discovery.authorization_endpoint ||
-            !discovery.token_endpoint ||
-            !discovery.jwks_uri
-          ) {
-            logger.error('OIDC discovery document missing required endpoints', {
-              hasAuthEndpoint: !!discovery.authorization_endpoint,
-              hasTokenEndpoint: !!discovery.token_endpoint,
-              hasJwksUri: !!discovery.jwks_uri,
-            })
-            return false
-          }
-
-          ssoConfig.oidcConfig.authorizationEndpoint = discovery.authorization_endpoint
-          ssoConfig.oidcConfig.tokenEndpoint = discovery.token_endpoint
-          ssoConfig.oidcConfig.userInfoEndpoint = discovery.userinfo_endpoint
-          ssoConfig.oidcConfig.jwksEndpoint = discovery.jwks_uri
+          ssoConfig.oidcConfig.authorizationEndpoint =
+            ssoConfig.oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
+          ssoConfig.oidcConfig.tokenEndpoint =
+            ssoConfig.oidcConfig.tokenEndpoint || discovery.token_endpoint
+          ssoConfig.oidcConfig.userInfoEndpoint =
+            ssoConfig.oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
+          ssoConfig.oidcConfig.jwksEndpoint =
+            ssoConfig.oidcConfig.jwksEndpoint || discovery.jwks_uri
 
-          logger.info('✅ Successfully fetched OIDC endpoints from discovery', {
+          logger.info('Merged OIDC endpoints (user-provided + discovery)', {
             authorizationEndpoint: ssoConfig.oidcConfig.authorizationEndpoint,
             tokenEndpoint: ssoConfig.oidcConfig.tokenEndpoint,
             userInfoEndpoint: ssoConfig.oidcConfig.userInfoEndpoint,
@@ -447,10 +446,38 @@ async function registerSSOProvider(): Promise<boolean> {
             discoveryUrl,
           })
           logger.error(
-            'Please provide explicit endpoints via SSO_OIDC_AUTHORIZATION_ENDPOINT, etc.'
+            'Please provide explicit endpoints via SSO_OIDC_AUTHORIZATION_ENDPOINT, SSO_OIDC_TOKEN_ENDPOINT, SSO_OIDC_JWKS_ENDPOINT'
           )
           return false
         }
+      } else {
+        logger.info('Using explicitly provided OIDC endpoints (all present)', {
+          authorizationEndpoint: ssoConfig.oidcConfig.authorizationEndpoint,
+          tokenEndpoint: ssoConfig.oidcConfig.tokenEndpoint,
+          userInfoEndpoint: ssoConfig.oidcConfig.userInfoEndpoint,
+          jwksEndpoint: ssoConfig.oidcConfig.jwksEndpoint,
+        })
+      }
+
+      if (
+        !ssoConfig.oidcConfig.authorizationEndpoint ||
+        !ssoConfig.oidcConfig.tokenEndpoint ||
+        !ssoConfig.oidcConfig.jwksEndpoint
+      ) {
+        const missing: string[] = []
+        if (!ssoConfig.oidcConfig.authorizationEndpoint)
+          missing.push('SSO_OIDC_AUTHORIZATION_ENDPOINT')
+        if (!ssoConfig.oidcConfig.tokenEndpoint) missing.push('SSO_OIDC_TOKEN_ENDPOINT')
+        if (!ssoConfig.oidcConfig.jwksEndpoint) missing.push('SSO_OIDC_JWKS_ENDPOINT')
+
+        logger.error('Missing required OIDC endpoints after discovery merge', {
+          missing,
+          authorizationEndpoint: ssoConfig.oidcConfig.authorizationEndpoint,
+          tokenEndpoint: ssoConfig.oidcConfig.tokenEndpoint,
+          jwksEndpoint: ssoConfig.oidcConfig.jwksEndpoint,
+        })
+        logger.error(`Please provide: ${missing.join(', ')}`)
+        return false
       }
     }
 
