fix(bugzilla): allow anonymous browsing

2026-03-14 20:12:10 +01:00 · 2026-03-14 20:12:10 +01:00 · cfb9b7c591
commit cfb9b7c591
parent ff7f3e705f
2 changed files with 11 additions and 3 deletions
--- a/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml
+++ b/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml
@ -126,7 +126,7 @@
    name: Deploy OIDC login redirect page
    copy:
        src: oidc-login.html
-        dest: "{{ bugzilla_dir }}/oidc-login.html"
+        dest: "{{ install_dir }}/oidc-login.html"
        owner: www-data
        group: www-data
    when: oauth_client_id is defined
--- a/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2
+++ b/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2
@ -25,8 +25,12 @@
    OIDCPassClaimsAs environment
    OIDCSSLValidateServer Off
    OIDCProviderEndSessionEndpoint {{ oauth_issuer_url }}/end-session/
+    OIDCDefaultURL https://{{ domain }}/

-    <Location />
+    # Login trigger — Alias to file outside DocumentRoot so the
+    # Directory's OIDCUnAuthAction pass does not apply here.
+    Alias /oidc-login {{ install_dir }}/oidc-login.html
+    <Location /oidc-login>
        AuthType openid-connect
        Require valid-user
    </Location>
@ -45,7 +49,11 @@
        Options +ExecCGI +FollowSymLinks
        DirectoryIndex index.cgi index.html
        AllowOverride All
-{% if oauth_client_id is not defined %}
+{% if oauth_client_id is defined %}
+        AuthType openid-connect
+        OIDCUnAuthAction pass
+        Require valid-user
+{% else %}
        Require all granted
 {% endif %}
    </Directory>