Allow setting a different issuer from the public base URL

crates/cli/src/commands/server.rs

@@ -83,7 +83,8 @@ impl Options {
         let policy_factory = policy_factory_from_config(&config.policy).await?;
         let policy_factory = Arc::new(policy_factory);
 
-        let url_builder = UrlBuilder::new(config.http.public_base.clone());
+        let url_builder =
+            UrlBuilder::new(config.http.public_base.clone(), config.http.issuer.clone());
 
         // Load and compile the templates
         let templates = templates_from_config(&config.templates, &url_builder).await?;

crates/cli/src/commands/templates.rs

@@ -44,7 +44,8 @@ impl Options {
                 let clock = SystemClock::default();
                 // XXX: we should disallow SeedableRng::from_entropy
                 let mut rng = rand_chacha::ChaChaRng::from_entropy();
-                let url_builder = mas_router::UrlBuilder::new("https://example.com/".parse()?);
+                let url_builder =
+                    mas_router::UrlBuilder::new("https://example.com/".parse()?, None);
                 let templates = Templates::load(path, url_builder).await?;
                 templates.check_render(clock.now(), &mut rng).await?;
 

crates/cli/src/commands/worker.rs

@@ -37,7 +37,8 @@ impl Options {
         info!("Connecting to the database");
         let pool = database_from_config(&config.database).await?;
 
-        let url_builder = UrlBuilder::new(config.http.public_base.clone());
+        let url_builder =
+            UrlBuilder::new(config.http.public_base.clone(), config.http.issuer.clone());
 
         // Load and compile the templates
         let templates = templates_from_config(&config.templates, &url_builder).await?;

crates/config/src/sections/http.rs

@@ -326,6 +326,9 @@ pub struct HttpConfig {
 
     /// Public URL base from where the authentication service is reachable
     pub public_base: Url,
+
+    /// OIDC issuer URL. Defaults to `public_base` if not set.
+    pub issuer: Option<Url>,
 }
 
 impl Default for HttpConfig {
@@ -364,6 +367,7 @@ impl Default for HttpConfig {
                     }],
                 },
             ],
+            issuer: Some(default_public_base()),
             public_base: default_public_base(),
         }
     }

crates/handlers/src/test_utils.rs

@@ -110,7 +110,7 @@ impl TestState {
             .join("..")
             .join("..");
 
-        let url_builder = UrlBuilder::new("https://example.com/".parse()?);
+        let url_builder = UrlBuilder::new("https://example.com/".parse()?, None);
 
         let templates =
             Templates::load(workspace_root.join("templates"), url_builder.clone()).await?;

crates/router/src/url_builder.rs

@@ -22,6 +22,7 @@ use crate::traits::Route;
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct UrlBuilder {
     base: Url,
+    issuer: Url,
 }
 
 impl UrlBuilder {
@@ -41,20 +42,21 @@ impl UrlBuilder {
 
     /// Create a new [`UrlBuilder`] from a base URL
     #[must_use]
-    pub fn new(base: Url) -> Self {
-        Self { base }
+    pub fn new(base: Url, issuer: Option<Url>) -> Self {
+        let issuer = issuer.unwrap_or_else(|| base.clone());
+        Self { base, issuer }
     }
 
     /// OIDC issuer
     #[must_use]
     pub fn oidc_issuer(&self) -> Url {
-        self.base.clone()
+        self.issuer.clone()
     }
 
-    /// OIDC dicovery document URL
+    /// OIDC discovery document URL
     #[must_use]
     pub fn oidc_discovery(&self) -> Url {
-        self.url_for(&crate::endpoints::OidcConfiguration)
+        crate::endpoints::OidcConfiguration.absolute_url(&self.issuer)
     }
 
     /// OAuth 2.0 authorization endpoint

crates/templates/src/lib.rs

@@ -305,7 +305,7 @@ mod tests {
         let mut rng = rand::thread_rng();
 
         let path = Utf8Path::new(env!("CARGO_MANIFEST_DIR")).join("../../templates/");
-        let url_builder = UrlBuilder::new("https://example.com/".parse().unwrap());
+        let url_builder = UrlBuilder::new("https://example.com/".parse().unwrap(), None);
         let templates = Templates::load(path, url_builder).await.unwrap();
         templates.check_render(now, &mut rng).await.unwrap();
     }

docs/config.schema.json

@@ -59,6 +59,7 @@
     "http": {
       "description": "Configuration of the HTTP server",
       "default": {
+        "issuer": "http://[::]:8080/",
         "listeners": [
           {
             "binds": [
@@ -787,6 +788,11 @@
         "public_base"
       ],
       "properties": {
+        "issuer": {
+          "description": "OIDC issuer URL. Defaults to `public_base` if not set.",
+          "type": "string",
+          "format": "uri"
+        },
         "listeners": {
           "description": "List of listeners to run",
           "default": [],