From b8306fc90b35b53cbe696ef5f6bf5e10562d621b Mon Sep 17 00:00:00 2001
From: Joao Marcal <jmarcal@redhat.com>
Date: Wed, 25 Feb 2026 12:56:00 +0000
Subject: [PATCH] fix: OIDC issuerCA to load all certificates from PEM bundle

---
 authentication/oidc.go | 37 +++++++++++++++++++++++++------------
 main.go                |  2 +-
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/authentication/oidc.go b/authentication/oidc.go
index 73da9363c..a285c7ad7 100644
--- a/authentication/oidc.go
+++ b/authentication/oidc.go
@@ -45,7 +45,7 @@ type oidcConfig struct {
 	GroupClaim    string `json:"groupClaim"`
 	IssuerRawCA   []byte `json:"issuerCA"`
 	IssuerCAPath  string `json:"issuerCAPath"`
-	issuerCA      *x509.Certificate
+	issuerCAs     []*x509.Certificate
 	IssuerURL     string `json:"issuerURL"`
 	RedirectURL   string `json:"redirectURL"`
 	UsernameClaim string `json:"usernameClaim"`
@@ -96,17 +96,28 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 	}
 
 	if len(config.IssuerRawCA) != 0 {
-		block, _ := pem.Decode(config.IssuerRawCA)
-		if block == nil {
-			return nil, fmt.Errorf("failed to parse issuer CA certificate PEM")
-		}
+		var (
+			block *pem.Block
+			rest  = config.IssuerRawCA
+		)
+
+		for {
+			block, rest = pem.Decode(rest)
+			if block == nil {
+				if len(config.issuerCAs) == 0 {
+					return nil, fmt.Errorf("failed to parse issuer CA certificate PEM")
+				}
 
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse issuer certificate: %s", err.Error())
-		}
+				break
+			}
 
-		config.issuerCA = cert
+			cert, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse issuer certificate: %s", err.Error())
+			}
+
+			config.issuerCAs = append(config.issuerCAs, cert)
+		}
 	}
 
 	t := &http.Transport{
@@ -122,11 +133,13 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 
-	if config.issuerCA != nil {
+	if len(config.issuerCAs) > 0 {
 		t.TLSClientConfig = &tls.Config{
 			RootCAs: x509.NewCertPool(),
 		}
-		t.TLSClientConfig.RootCAs.AddCert(config.issuerCA)
+		for _, ca := range config.issuerCAs {
+			t.TLSClientConfig.RootCAs.AddCert(ca)
+		}
 	}
 
 	client := &http.Client{
diff --git a/main.go b/main.go
index 5522ee737..07004d0e6 100644
--- a/main.go
+++ b/main.go
@@ -236,7 +236,7 @@ type tenant struct {
 		GroupClaim    string `json:"groupClaim"`
 		IssuerRawCA   []byte `json:"issuerCA"`
 		IssuerCAPath  string `json:"issuerCAPath"`
-		issuerCA      *x509.Certificate
+		issuerCAs     []*x509.Certificate
 		IssuerURL     string `json:"issuerURL"`
 		RedirectURL   string `json:"redirectURL"`
 		UsernameClaim string `json:"usernameClaim"`