Add validation of iss claim parameter

[evankanderson]

Summary

Per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation:

The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.

In this case, we're not implementing discovery, and using a server-configured JWKS URL, but we should still validate the iss URL.

Fixes #3542

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Unit tests and manual login test, which revealed that:

1. We have an issuer_url parameter, which is actually a hostname, not the iss parameter. In particular, it doesn't include the /realms/stacklok part, which is instead part of the URLs we build in Minder.
2. If we set issuer_url to http://localhost:8081 for development (to match what's in the JWT), Minder in docker-compose is unable to reach Keycloak, because each is in a different network namespace.
3. We have a similar issue in production, where we don't expose the /admin API endpoints on the public internet.

All of this is pointed me to splitting the identity into two bits -- a keycloak server URL for the admin API endpoints, and an openID issuer URL.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 53.121% (-0.02%) from 53.143%
when pulling 83631bd on evankanderson:validate-issuer
into 59c9839 on stacklok:main.

[coveralls]

coverage: 53.121% (-0.02%) from 53.143%
when pulling 9d2c2dd on evankanderson:validate-issuer
into 59c9839 on stacklok:main.

[rdimitrov]

We still want to have the default be the all-in-docker setup?

[evankanderson]

I can set this whichever way -- we override the config value with a flag in docker-compose for the all-in-docker setup.

[eleftherias]

I'm not sure this comment is accurate. Maybe it's better to rename the issuerUrl to hostnameUrl. We intentionally use the hostname for deriving the user deletion URL as well, which is also Keycloak specific.

[evankanderson]

Ugh... so, in an ideal world, the URL that Keycloak includes in the iss claim would be reachable by the minder server and then we could use the standard OpenID JWKS discovery.

Unfortunately, the current docker-compose setup produces an iss of http://localhost:8081/realms/stacklok, but the minder container can only reach Keycloak via keycloak:8080. This isn't a problem in staging or production, where Minder can reach the external interface, and we just happen to fetch some keys from an entirely different URL and use them to validate the JWT.

Let me think on this, and see if I can come up with a better way to handle this.

And yes, we should rename issuer_url to identity_host or identity_url, but I didn't want to gratuitously break existing configuration (including our own).

That also reminds me that I need to set these fields in staging and production before we push this code there...

[evankanderson]

These fields are now set in production.