OIDC config to allow mismatched discovery / issuer

[ddl-ebrown]

Tracking issue

Why are the changes needed?

• There are a number of cases where the OIDC discovery url returns one issuer, but its desirable to use a separately configured / named issuer for validation instead.

  There are cases in Azure where this is necessary due to their non-standard OIDC configuration -- which is why this was originally added: oidc: add option to override discovered issuer URL coreos/go-oidc#315

  There are also cases where it's necessary to use an in-cluster service address, but browser clients are using the external ingress address. Due to cluster DNS configuration, it's possible that flyteadmin may be unable to resolve or use the public ingress address for an Idp, but the internal service address is available. This configuration change allows for that.

What changes were proposed in this pull request?

How was this patch tested?

Setup process

Screenshots

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Project coverage is 36.17%. Comparing base (7a91799) to head (d897dfb).

Files with missing lines	Patch %	Lines
flyteadmin/auth/auth_context.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5712      +/-   ##
==========================================
+ Coverage   34.28%   36.17%   +1.88%     
==========================================
  Files        1137     1303     +166     
  Lines      102263   109665    +7402     
==========================================
+ Hits        35065    39667    +4602     
- Misses      63546    65853    +2307     
- Partials     3652     4145     +493     

Flag	Coverage Δ
unittests-datacatalog	51.37% <ø> (ø)
unittests-flyteadmin	55.28% <0.00%> (-0.01%)	⬇️
unittests-flytecopilot	12.17% <ø> (ø)
unittests-flytectl	62.18% <ø> (?)
unittests-flyteidl	7.12% <ø> (ø)
unittests-flyteplugins	53.34% <ø> (ø)
unittests-flytepropeller	41.76% <ø> (ø)
unittests-flytestdlib	55.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[wild-endeavor]

Had a chat with @EngHabu. This pr is good to go thank you! There was some discussion about whether this config option needs to be piped in to the resource_server so that the issuer can be verified but it looks like we don't do that. In the self auth server case, the issuer is already read from config or matched against authorized urls so that's okay.

[wild-endeavor]

mind taking care of the checks though @ddl-ebrown