Add routine to ensure k8s svc URL used for internal token retrieval

[brucetony]

Summary by CodeRabbit

• New Features

  • Introduced endpoint rewriting capability for OpenID Connect configurations. Endpoints can now automatically be updated to align with specified URL origins, enhancing deployment flexibility and compatibility across different infrastructure environments.

• Documentation

  • Minor text corrections and docstring improvements in the authentication module.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two files modified: auth.py receives docstring corrections for clarity, while oidc.py introduces endpoint rewriting functionality for OpenID Connect configurations to replace scheme and host of OIDC endpoints with those from the issuer URL.

Changes

Cohort / File(s)	Summary
Documentation Updates hub_adapter/auth.py	Minor docstring corrections: typo fix ("tp" → "to") in _get_internal_token and expanded description in _require_role for clarity on 403 error handling.
OIDC Endpoint Rewriting hub_adapter/oidc.py	Added rewrite_endpoints parameter to fetch_openid_config() to enable URL origin replacement for token_endpoint, jwks_uri, authorization_endpoint, and userinfo_endpoint. Includes private helper for origin rewriting and updated get_svc_oidc_config() to use rewrite_endpoints=True for service IDP URLs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 The endpoints dance in rewritten grace,
New Kubernetes schemes find their place,
While docstrings bloom with clarity true,
OIDC flows configured anew!
A twitch of whiskers, a hop of cheer,
The origins shift without a fear! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing endpoint rewriting to ensure Kubernetes service URLs are used for internal token retrieval in OIDC configurations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 152-fix-internal-token-retrieval

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

Flake8 can be used to improve the quality of Python code reviews.

Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script.

To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root.

See Flake8 Documentation for more details.

[coderabbitai]

🧹 Nitpick comments (1)

hub_adapter/oidc.py (1)

43-58: Edge case: provided_url may include the .well-known/openid-configuration path.

If the caller passes a URL already ending with .well-known/openid-configuration, provided_url will include that path. When used in _rewrite_url_origin, the netloc extraction is still correct (path is not part of netloc), so the rewriting should work properly. However, consider documenting that oidc_url should be the base issuer URL when using rewrite_endpoints=True.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hub_adapter/oidc.py` around lines 43 - 58, The code uses provided_url (set
from oidc_url) when rewriting endpoints, which may itself include the
".well-known/openid-configuration" path; normalize provided_url before rewriting
by stripping any trailing slash and removing a trailing
".well-known/openid-configuration" if present so _rewrite_url_origin receives
the base issuer origin; modify the block that sets provided_url/oidc_url to
normalize provided_url (while still ensuring oidc_url becomes the full
well-known endpoint), and keep references to provided_url, oidc_url,
rewrite_endpoints, _OIDC_ENDPOINT_FIELDS, and _rewrite_url_origin when
implementing this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@hub_adapter/oidc.py`:
- Around line 43-58: The code uses provided_url (set from oidc_url) when
rewriting endpoints, which may itself include the
".well-known/openid-configuration" path; normalize provided_url before rewriting
by stripping any trailing slash and removing a trailing
".well-known/openid-configuration" if present so _rewrite_url_origin receives
the base issuer origin; modify the block that sets provided_url/oidc_url to
normalize provided_url (while still ensuring oidc_url becomes the full
well-known endpoint), and keep references to provided_url, oidc_url,
rewrite_endpoints, _OIDC_ENDPOINT_FIELDS, and _rewrite_url_origin when
implementing this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d4c01b04-fabf-402d-b686-f8c4bcf48340

📥 Commits

Reviewing files that changed from the base of the PR and between ae4f47d and 6586fc9.

📒 Files selected for processing (2)

• hub_adapter/auth.py
• hub_adapter/oidc.py