When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds
a custom http.Client whose Transport has no Proxy field. The fresh
provider then uses that client for both discovery (internal URL,
fine) AND the subsequent JWKS fetch from jwks_uri — which the
discovery doc still emits as https://auth.gosec.cloud/... (the
canonical issuer URL). With no Proxy on the custom transport, JWKS
hit default-deny-external and the verifier never gets a key, so
every signed token returned 401 with the empty fallback ShellConfig
propagating to consumer apps (empty sidebar/footer/user-menu in
gscCRM).
Fall through to go-oidc's default client. http.DefaultTransport.Proxy
is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored
for both discovery (auth.gosec.cloud via Squid) and JWKS.
Trade-off: discovery now goes out and back through web-proxy instead
of hitting the in-cluster Keycloak service directly. Adds a few ms
once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually
validate tokens.
A code-side fix would set Proxy: http.ProxyFromEnvironment on the
custom transport, but that requires a shell-api rebuild + push.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bb110e26af