Looked into internal and external uris.

Author: pantierra

charts/eoapi/profiles/experimental.yaml

@@ -206,6 +206,8 @@ browser:
   enabled: true
   settings:
     resources: {}
+  # STAC Browser needs external OIDC URL (accessible from user's browser)
+  oidcDiscoveryUrl: "http://localhost/mock-oidc/.well-known/openid-configuration"
 
 docServer:
   enabled: true
@@ -385,6 +387,9 @@ mockOidcServer:
   port: 8888
   clientId: "test-client"
   clientSecret: "test-secret"
+  extraEnv:
+    - name: ISSUER
+      value: "http://localhost/mock-oidc"
   service:
     type: ClusterIP
     port: 8080
@@ -402,7 +407,6 @@ mockOidcServer:
   tolerations: []
   affinity: {}
   imagePullSecrets: []
-  extraEnv: []
 
 ######################
 # SERVICE

charts/eoapi/templates/networking/ingress-no-prefix.yaml

@@ -49,7 +49,7 @@ spec:
 
           {{- if and $.Values.browser.enabled (or (not (hasKey $.Values.browser "ingress")) $.Values.browser.ingress.enabled) }}
           - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+            path: "{{ $.Values.browser.ingress.path | default "/browser" }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
             backend:
               service:
                 name: {{ $.Release.Name }}-browser
@@ -79,7 +79,7 @@ spec:
 
           {{- if and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }}
           - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+            path: "{{ .Values.browser.ingress.path | default "/browser" }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
             backend:
               service:
                 name: {{ .Release.Name }}-browser

charts/eoapi/templates/services/browser/deployment.yaml

@@ -32,9 +32,10 @@ spec:
               value: |
                 {
                   "type": "openIdConnect",
-                  "openIdConnectUrl": "{{ index .Values "stac-auth-proxy" "env" "OIDC_DISCOVERY_URL" }}",
+                  "openIdConnectUrl": "{{ .Values.browser.oidcDiscoveryUrl }}",
                   "oidcOptions": {
-                    "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}"
+                    "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}",
+                    "redirect_uri": "http://{{ .Values.ingress.host }}{{ .Values.browser.ingress.path | default "/browser" | trimSuffix "/" }}/auth"
                   }
                 }
               {{- end }}

charts/eoapi/values.yaml

@@ -496,8 +496,12 @@ browser:
     tag: 3.3.4
   ingress:
     enabled: true  # Control ingress specifically for browser service
-  # OAuth2 client ID for browser (frontend app). Reads OIDC_DISCOVERY_URL from stac-auth-proxy.env
-  oidcClientId: "some-client-id"
+    path: "/browser"
+  # OAuth2 client ID for browser (frontend app)
+  oidcClientId: "stac-browser"
+  # OIDC discovery URL for browser (must be externally accessible URL)
+  # Required when stac-auth-proxy is enabled
+  oidcDiscoveryUrl: ""
 
 docServer:
   enabled: true