Hello,
I am testing Supabase Auth as an OAuth 2.1 / OIDC provider in a self-hosted setup.
I believe I have completed the required migration steps for asymmetric signing keys and updated Kong, but the OIDC discovery document is still invalid.
Environment
- Self-hosted Supabase
- Auth image:
supabase/gotrue:v2.188.1
- Kong image:
kong/kong:3.9.1
What I configured
Auth
In the auth service:
Realtime
In the realtime service:
- API_JWT_JWKS=${JWT_JWKS:-{"keys":[]}}
Storage
In the storage service:
- JWT_JWKS=${JWT_JWKS:-{"keys":[]}}
Keys
I generated the new auth keys using the official script:
- JWT_KEYS
- JWT_JWKS
- SUPABASE_PUBLISHABLE_KEY
- SUPABASE_SECRET_KEY
- ANON_KEY_ASYMMETRIC
- SERVICE_ROLE_KEY_ASYMMETRIC
These values were injected into the self-hosted stack.
Kong
Kong was updated to the newer official-style setup:
- kong/kong:3.9.1
- mounted kong-entrypoint.sh
- mounted kong.yml
- enabled plugins including post-function
- injected:
- SUPABASE_PUBLISHABLE_KEY
- SUPABASE_SECRET_KEY
- ANON_KEY_ASYMMETRIC
- SERVICE_ROLE_KEY_ASYMMETRIC
Kong is now running correctly and the Studio UI works again.
Current behavior
These endpoints respond successfully:
The JWKS is no longer empty.
However, the discovery document still returns:
{
"issuer": "",
"authorization_endpoint": "/oauth/authorize",
"token_endpoint": "/oauth/token",
"jwks_uri": "/.well-known/jwks.json",
"userinfo_endpoint": "/oauth/userinfo"
}
So:
issuer is empty
endpoints are relative instead of absolute
Important verification
To make sure this is not caused by Kong, I queried the Auth container directly on port 9999, bypassing Kong entirely:
AUTH_IP=$(docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}')
curl -s
-H "Host: xxxxxxxxxxxx"
-H "X-Forwarded-Proto: https"
"http://$AUTH_IP:9999/.well-known/openid-configuration"
I get the same result directly from Auth:
{
"issuer": "",
"authorization_endpoint": "/oauth/authorize",
"token_endpoint": "/oauth/token",
"jwks_uri": "/.well-known/jwks.json",
"userinfo_endpoint": "/oauth/userinfo"
}
So this does not appear to be a Kong-only issue.
Expected behavior
I expected something like:
{
"issuer": "https://xxxxxxxxxxxx/auth/v1",
"authorization_endpoint": "https://xxxxxxxxxxxx/auth/v1/oauth/authorize",
"token_endpoint": "https://xxxxxxxxxxxx/auth/v1/oauth/token",
"jwks_uri": "https://xxxxxxxxxxxx/auth/v1/.well-known/jwks.json"
}
Question
Is this a known limitation / bug in self-hosted OAuth/OIDC discovery?
Or is there another required configuration to make the discovery document emit a non-empty issuer and absolute URLs?
I searched GitHub issues/discussions and found related OAuth/OIDC issues, but not an exact match for a self-hosted discovery document returning 200 with a non-empty JWKS while still emitting an empty issuer and relative endpoints.
Thanks.
Hello,
I am testing Supabase Auth as an OAuth 2.1 / OIDC provider in a self-hosted setup.
I believe I have completed the required migration steps for asymmetric signing keys and updated Kong, but the OIDC discovery document is still invalid.
Environment
supabase/gotrue:v2.188.1kong/kong:3.9.1What I configured
Auth
In the auth service:
Realtime
In the realtime service:
Storage
In the
storageservice:Keys
I generated the new auth keys using the official script:
These values were injected into the self-hosted stack.
Kong
Kong was updated to the newer official-style setup:
Kong is now running correctly and the Studio UI works again.
Current behavior
These endpoints respond successfully:
The JWKS is no longer empty.
However, the discovery document still returns:
{
"issuer": "",
"authorization_endpoint": "/oauth/authorize",
"token_endpoint": "/oauth/token",
"jwks_uri": "/.well-known/jwks.json",
"userinfo_endpoint": "/oauth/userinfo"
}
So:
issuer is empty
endpoints are relative instead of absolute
Important verification
To make sure this is not caused by Kong, I queried the Auth container directly on port 9999, bypassing Kong entirely:
AUTH_IP=$(docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}')
curl -s
-H "Host: xxxxxxxxxxxx"
-H "X-Forwarded-Proto: https"
"http://$AUTH_IP:9999/.well-known/openid-configuration"
I get the same result directly from Auth:
{
"issuer": "",
"authorization_endpoint": "/oauth/authorize",
"token_endpoint": "/oauth/token",
"jwks_uri": "/.well-known/jwks.json",
"userinfo_endpoint": "/oauth/userinfo"
}
So this does not appear to be a Kong-only issue.
Expected behavior
I expected something like:
{
"issuer": "https://xxxxxxxxxxxx/auth/v1",
"authorization_endpoint": "https://xxxxxxxxxxxx/auth/v1/oauth/authorize",
"token_endpoint": "https://xxxxxxxxxxxx/auth/v1/oauth/token",
"jwks_uri": "https://xxxxxxxxxxxx/auth/v1/.well-known/jwks.json"
}
Question
Is this a known limitation / bug in self-hosted OAuth/OIDC discovery?
Or is there another required configuration to make the discovery document emit a non-empty issuer and absolute URLs?
I searched GitHub issues/discussions and found related OAuth/OIDC issues, but not an exact match for a self-hosted discovery document returning 200 with a non-empty JWKS while still emitting an empty issuer and relative endpoints.
Thanks.