yurhett 9c6c6c51e0 Fix: use jwks_uri from OIDC metadata for JWKS client (#8136) ...

### What problem does this PR solve?
Issue: #8051

The current implementation assumes JWKS endpoints follow the standard
`/.well-known/jwks.json` convention. This breaks authentication for OIDC
providers that use non-standard JWKS paths, resulting in 404 errors
during token validation.

Root Cause Analysis
- The OpenID Connect specification doesn't mandate a fixed path for JWKS
endpoints
- Some identity providers (like certain Keycloak configurations) use
custom endpoints
- Our previous approach constructed JWKS URLs by convention rather than
discovery

### Solution Approach
Instead of constructing JWKS URLs by appending to the issuer URI, we
now:
1. Properly leverage the `jwks_uri` from the OIDC discovery metadata
2. Honor the identity provider's actual configured endpoint

```python
# Before (fragile approach)
jwks_url = f"{self.issuer}/.well-known/jwks.json"

# After (standards-compliant)
jwks_cli = jwt.PyJWKClient(self.jwks_uri)  # Use discovered endpoint
```

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)

2025-06-10 10:16:58 +08:00

..

apps

Fix: use jwks_uri from OIDC metadata for JWKS client (#8136)

2025-06-10 10:16:58 +08:00

db

Fix:when stream=false，new message without sessionid does no (#8078)

2025-06-05 15:14:15 +08:00

utils

Fix: document typo in test (#8091)

2025-06-05 19:03:46 +08:00

__init__.py

Update comments (#4569)

2025-01-21 20:52:28 +08:00

constants.py

Update upload filename length limit from 128 to 256, which is aligned with os (#7971)

2025-05-30 14:25:59 +08:00

ragflow_server.py

Fix: Prevent Flask hot reload from hanging due to early thread startup (#7966)

2025-05-30 13:38:30 +08:00

settings.py

Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998)

2025-06-05 12:10:24 +08:00

validation.py

Fix errors detected by Ruff (#3918)

2024-12-08 14:21:12 +08:00

versions.py

Fix VERSION

2024-12-07 16:56:34 +08:00