Issuer.discover for relative URLS

[cintolas]

Is there a way we can use relative URLs for Issuer.discover? The code explicitly rejects it.

My set up
Kubernetes cluster with an nginx ingress (gateway)
MY_APP - my application in a subdirectory /myapp
OIDC - keycloak IDP in a subdirectory /oidc

I want to set up MY_APP to connect to OIDC

The problem:

Both MY_APP and OIDC have internal hostnames that are unknown to the client
If I use the internal hostname url of OIDC, the issuer.discover works, but then it sends the internal name back to the browser which fails.

Alternatively, I need to set up the external url for the issuer which makes setup and configuration a bit harder especially since there is no guarantee which external url a user comes from.

Example setup

Is there a way I can set up this config so that the browser always redirects to the IDP base on

`
let MyIssuer = await Issuer.discover(this.config.issuer); // => Promise

const params = {
redirect_uri: this.config.redirect_uri,
scope: this.config.scope,
// ... any authorization request parameters go here
};
this.client = new MyIssuer.Client({
client_id: this.config.client_id,
client_secret: this.config.client_secret,
id_token_signed_response_alg: this.config.id_token_signed_response_alg,
token_endpoint_auth_method: this.config.token_endpoint_auth_method,

passport.use("oidc", new Strategy(...)
`

[big-kahuna-burger]

Alternatively, I need to set up the external url for the issuer which makes setup and configuration a bit harder especially since there is no guarantee which external url a user comes from.

This is a path you have to take. Expose your OP trough ingress, and do issuer discovery with call to that public url.
Also, be aware that OP is needed to be running before you deploy RP app. Otherwise if you do it in parallel: await Issuer.discover(OP_URL) fails.
But k8s can take care of that with self-healing anyway; it will crash RP pod until OP becomes available on ingress.