Issure_url is compulsory for generic provider, though it is not supporting OpenID Connect Discovery

[rohit-patel-tw]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

We are trying to connect Kratos to UAE Pass as OIDC Generic Provider, which does not suppor OpenID Connect Discovery.

As per comments in provider_config.go, it says we can use auth_url and token_url to provide endpoint details, in case when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery, and leave issuer_url empty.

But Kratos throw error unsupported protocol scheme, when issuer_url left empty

Expected:
As config says, we should be allowed to pass individual endpoints.

Reproducing the bug

1. Update kratos.config as below and start kratos server
2. Go to login screen and Click on "Sign in with UAE PASS"

Error from Kratos:

{
  "id": "8ec4760e-1afa-403c-9f04-dc9347aae1ec",
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "reason": "Unable to initialize OpenID Connect Provider: Get \"/.well-known/openid-configuration\": unsupported protocol scheme \"\"",
    "message": "An internal server error occurred, please contact the system administrator"
  },
  "created_at": "2024-04-26T04:38:30.203548Z",
  "updated_at": "2024-04-26T04:38:30.203548Z"
}

Relevant log output

kratos-1                      | time=2024-04-26T04:38:30Z level=error msg=An error occurred and is being forwarded to the error user interface. func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/x@v0.0.614/logrusx/helper.go:125 audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason:Unable to initialize OpenID Connect Provider: Get "/.well-known/openid-configuration": unsupported protocol scheme "" stack_trace:
kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*ProviderGenericOIDC).provider
kratos-1                      |         /project/selfservice/strategy/oidc/provider_generic_oidc.go:54
kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*ProviderGenericOIDC).OAuth2
kratos-1                      |         /project/selfservice/strategy/oidc/provider_generic_oidc.go:77
kratos-1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).Login
kratos-1                      |         /project/selfservice/strategy/oidc/strategy_login.go:223
kratos-1                      | github.com/ory/kratos/selfservice/flow/login.(*Handler).updateLoginFlow
kratos-1                      |         /project/selfservice/flow/login/handler.go:789
kratos-1                      | github.com/ory/kratos/x.(*RouterPublic).POST.NoCacheHandle.func1

Relevant configuration

version: v1.1.0

dsn: memory

serve:
  public:
    base_url: http://127.0.0.1:4433
    cors:
      enabled: true
  admin:
    base_url: http://127.0.0.1:4434

selfservice:
  default_browser_return_url: http://127.0.0.1:4455/
  allowed_return_urls:
    - http://127.0.0.1:4455

  methods:
    password:
      enabled: true
      config:
        min_password_length: 6
        identifier_similarity_check_enabled: false
        haveibeenpwned_enabled: false
    oidc:
      config:
        providers:
          - client_id: sandbox_stage
            client_secret: sandbox_stage
            id: u6ZEcp7W
           #have tried by removing this entry
            issuer_url: ""
            auth_url: https://stg-id.uaepass.ae/idshub/authorize
            token_url: https://stg-id.uaepass.ae/idshub/token
            label: uea-pass
            mapper_url: https://storage.googleapis.com/bac-gcs-production/0d878eabc6b5fb37a6e1f35ab40c9936c2306fa273c97c452188059e2cbde2ed52bcf11287710f14ab4df68ec8afe1512807ef9d853d71b1ece53fe8656b9497.jsonnet
            provider: generic
            scope:
              - urn:uae:digitalid:profile:general urn:uae:digitalid:profile:general:profileType urn:uae:digitalid:profile:general:unifiedId
            claims_source: userinfo
      enabled: true

  flows:
    error:
      ui_url: http://127.0.0.1:4455/error

    settings:
      ui_url: http://127.0.0.1:4455/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    logout:
      after:
        default_browser_return_url: http://127.0.0.1:4455/login

    login:
      ui_url: http://127.0.0.1:4455/login

    registration:
      ui_url: http://127.0.0.1:4455/registration
      after:
        password:
          hooks:
            - hook: session

log:
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

identity:
  default_schema_id: default
  schemas: 
    - id: default
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

oauth2_provider:
  url: http://hydra:4445

Version

v1.1.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

Also, in Ory network, we have to enter issuer_url, and no option to enter individual endpoints, for Generic Providers.