feat(runs): serve external OAuth2 authorization-server metadata

runs/config/config.go

@@ -58,10 +58,67 @@ type Config struct {
 	SeedProjects []string `json:"seedProjects" pflag:",Projects to create by default at startup"`
 
 	// Domains are injected into project responses (not stored per project row).
-	Domains []DomainConfig `json:"domains"`
+	// Excluded from pflags (slices of structs are unsupported by the generator);
+	// configure via the config file only.
+	Domains []DomainConfig `json:"domains" pflag:"-"`
 
 	// TriggerScheduler configures the cron-based trigger scheduler worker.
 	TriggerScheduler TriggerSchedulerConfig `json:"triggerScheduler"`
+
+	// AuthMetadata configures the OAuth2 authorization-server metadata endpoint
+	// (the GetOAuth2Metadata RPC and /.well-known/oauth-authorization-server).
+	AuthMetadata AuthMetadataConfig `json:"authMetadata"`
+}
+
+// AuthMetadataConfig controls how the runs service serves OAuth2 authorization
+// server metadata. When ExternalAuthServerBaseURL is set, the service proxies
+// the external authorization server's metadata document (e.g. Okta) so that
+// clients discovering auth at this deployment are pointed at the external IdP
+// and obtain externally-issued tokens. When empty, GetOAuth2Metadata returns
+// Unimplemented (HTTP 501 for the well-known handler).
+type AuthMetadataConfig struct {
+	// ExternalAuthServerBaseURL is the base URL of the external OAuth2
+	// authorization server to proxy metadata from
+	// (e.g. "https://signin.example.com/oauth2/default"). Empty disables the
+	// endpoint (GetOAuth2Metadata returns Unimplemented).
+	ExternalAuthServerBaseURL string `json:"externalAuthServerBaseUrl" pflag:",Base URL of the external OAuth2 authorization server to proxy metadata from"`
+
+	// ExternalMetadataURL optionally overrides the metadata path resolved
+	// against ExternalAuthServerBaseURL. Defaults to
+	// ".well-known/oauth-authorization-server".
+	ExternalMetadataURL string `json:"externalMetadataUrl" pflag:",Override for the external metadata path"`
+
+	// RetryAttempts is how many times to try fetching external metadata (default 5).
+	RetryAttempts int `json:"retryAttempts" pflag:",Attempts to fetch external metadata"`
+
+	// RetryDelay is the delay between fetch attempts (default 1s).
+	RetryDelay config.Duration `json:"retryDelay" pflag:",Delay between external metadata fetch attempts"`
+
+	// AuthorizationMetadataKey is the header/metadata key clients should place
+	// tokens in, returned by GetPublicClientConfig (default "authorization").
+	AuthorizationMetadataKey string `json:"authorizationMetadataKey" pflag:",Header key clients should use for tokens"`
+
+	// FlyteClient is the public (CLI/SDK) OAuth2 client configuration returned
+	// by GetPublicClientConfig.
+	FlyteClient FlyteClientConfig `json:"flyteClient"`
+}
+
+// FlyteClientConfig mirrors flyteadmin's appAuth.thirdPartyConfig.flyteClient:
+// the public OAuth2 client (flytectl/pyflyte) settings advertised to SDKs via
+// GetPublicClientConfig.
+type FlyteClientConfig struct {
+	// ClientID is the public client id used by CLI/SDK login flows.
+	ClientID string `json:"clientId" pflag:",Public OAuth2 client id advertised to SDKs"`
+
+	// RedirectURI is the callback the public client listens on during login.
+	RedirectURI string `json:"redirectUri" pflag:",Redirect URI for the public client login flow"`
+
+	// Scopes are the OAuth2 scopes the public client should request.
+	Scopes []string `json:"scopes" pflag:",Scopes the public client should request"`
+
+	// Audience is the intended audience for requested tokens (sent when the IdP
+	// requires it, e.g. Auth0/Okta custom authorization servers).
+	Audience string `json:"audience" pflag:",Audience for requested tokens"`
 }
 
 // ServerConfig holds HTTP server configuration
@@ -82,13 +139,17 @@ type TriggerSchedulerConfig struct {
 	Enabled bool `json:"enabled" pflag:",Enable the trigger scheduler worker"`
 
 	// ResyncInterval is how often the scheduler re-reads active triggers from the DB.
-	ResyncInterval time.Duration `json:"resyncInterval" pflag:",How often to resync active triggers from the database"`
+	// Excluded from pflags (raw time.Duration is unsupported by the generator);
+	// configure via the config file only.
+	ResyncInterval time.Duration `json:"resyncInterval" pflag:"-"`
 
 	// MaxCatchupRunsPerLoop caps how many catchup runs are fired per resync loop.
 	MaxCatchupRunsPerLoop int `json:"maxCatchupRunsPerLoop" pflag:",Maximum catchup runs fired per resync loop"`
 
 	// ExecutionQPS is the token-bucket rate for CreateRun calls (tokens/second).
-	ExecutionQPS float64 `json:"executionQps" pflag:",Rate limit for CreateRun calls (requests per second)"`
+	// Excluded from pflags (float64 is unsupported by the generator); configure
+	// via the config file only.
+	ExecutionQPS float64 `json:"executionQps" pflag:"-"`
 
 	// ExecutionBurst is the token-bucket burst size.
 	ExecutionBurst int `json:"executionBurst" pflag:",Burst size for CreateRun rate limiter"`