Skip to content

fix: oidc multi-tenant cache collision and site applications fallback#112

Open
aymericcousaert wants to merge 4 commits intomasterfrom
fix/oidc-multi-tenant-and-apps-fallback
Open

fix: oidc multi-tenant cache collision and site applications fallback#112
aymericcousaert wants to merge 4 commits intomasterfrom
fix/oidc-multi-tenant-and-apps-fallback

Conversation

@aymericcousaert
Copy link
Copy Markdown
Collaborator

@aymericcousaert aymericcousaert commented Mar 25, 2026
edited
Loading

Summary

  • OIDC discovery cache collision: getOidcProviderId used only the hostname from the discovery URL, causing all Azure AD tenants (which share login.microsoftonline.com) to get the same provider ID. This made the first tenant's discovery content (authorization/token endpoints) be cached and reused for all other tenants, redirecting users to the wrong tenant. Fixed by including the URL path in the ID generation.
  • Applications merge: Global applications (from APPLICATIONS env var) and site-level applications are now merged. Site applications take priority on duplicate IDs, and global applications are always available as a base. Previously, sites with no applications could not access global ones, causing runner-gui OAuth to fail with "Unknown client_id" on secondary sites.
  • Application client ID editable: The client ID field in the site applications form was readOnly, preventing admins from setting a specific client ID (e.g. runner-gui) via the UI. Removed the readOnly constraint.

Test plan

  • Existing OIDC tests pass (provider IDs for localhost:PORT are unchanged)
  • Test: global applications fallback when site has no applications
  • Test: merge global + site applications, site overrides on duplicate ID
  • Existing "reject invalid client_id" test still passes
  • Full test suite (80 tests) passes

@aymericcousaert
fix: oidc multi-tenant cache collision and site applications fallback
dfd1b6f 
- use full discovery URL path (not just hostname) for OIDC provider ID,
  fixing cache collisions when multiple Azure AD tenants share
  login.microsoftonline.com
- fall back to global APPLICATIONS config when a site has no applications
  defined, instead of only when there is no site at all
@github-actions github-actions bot added the fix label Mar 25, 2026
@github-actions github-actions bot added fix and removed fix labels Mar 25, 2026
@aymericcousaert
fix: merge global and site applications instead of fallback
0ed77de 
Site applications take priority on duplicate IDs, global applications
are always available as a base.
@github-actions github-actions bot added fix and removed fix labels Mar 25, 2026
@aymericcousaert
fix: add backward compat for coreIdProvider with old OIDC provider ID…
ea68250 
… format

Providers now expose a compatId (old hostname-only format) so that
existing user sessions with stored coreIdProvider references still
match after the ID format change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aymericcousaert