bb110e26af
When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds a custom http.Client whose Transport has no Proxy field. The fresh provider then uses that client for both discovery (internal URL, fine) AND the subsequent JWKS fetch from jwks_uri — which the discovery doc still emits as https://auth.gosec.cloud/... (the canonical issuer URL). With no Proxy on the custom transport, JWKS hit default-deny-external and the verifier never gets a key, so every signed token returned 401 with the empty fallback ShellConfig propagating to consumer apps (empty sidebar/footer/user-menu in gscCRM). Fall through to go-oidc's default client. http.DefaultTransport.Proxy is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored for both discovery (auth.gosec.cloud via Squid) and JWKS. Trade-off: discovery now goes out and back through web-proxy instead of hitting the in-cluster Keycloak service directly. Adds a few ms once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually validate tokens. A code-side fix would set Proxy: http.ProxyFromEnvironment on the custom transport, but that requires a shell-api rebuild + push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>