i-am-bee · JanPokorny · Mar 11, 2026 · Mar 11, 2026 · gemini-code-assist · Mar 11, 2026
diff --git a/apps/agentstack-server/src/agentstack_server/api/auth/auth.py b/apps/agentstack-server/src/agentstack_server/api/auth/auth.py
@@ -178,8 +178,9 @@ async def discover_issuer(provider: OidcProvider) -> AuthorizationServerMetadata
                 response.raise_for_status()
                 metadata = AuthorizationServerMetadata(response.json())
                 metadata.validate_issuer()
-                metadata.validate_jwks_uri()
-                metadata.validate_introspection_endpoint()
+                if provider.issuer.scheme == "https":
+                    metadata.validate_jwks_uri()
+                    metadata.validate_introspection_endpoint()
             except Exception as e:
                 # Fallback to OIDC 1.0
                 try:
@@ -188,8 +189,9 @@ async def discover_issuer(provider: OidcProvider) -> AuthorizationServerMetadata
                     response.raise_for_status()
                     metadata = OpenIDProviderMetadata(response.json())
                     metadata.validate_issuer()
-                    metadata.validate_jwks_uri()
-                    metadata.validate_introspection_endpoint()
+                    if provider.issuer.scheme == "https":
+                        metadata.validate_jwks_uri()
+                        metadata.validate_introspection_endpoint()
                 except Exception as fallback_e:
                     logger.warning(f"Issuer discovery fallback failed for provider {provider.issuer}: {fallback_e}")
                     raise fallback_e from e

diff --git a/apps/agentstack-server/src/agentstack_server/configuration.py b/apps/agentstack-server/src/agentstack_server/configuration.py
@@ -131,8 +131,8 @@ def provider(self) -> OidcProvider:
     @model_validator(mode="after")
     def validate_auth(self):
         if self.insecure_transport:
-            if self.issuer.scheme != "http" or self.issuer.host != "keycloak":
-                raise ValueError("Insecure transport is only allowed for internal keycloak!")
+            if self.issuer.scheme != "http":
+                raise ValueError("Insecure transport is only allowed when the issuer URL uses http:// scheme!")
 
             os.environ["AUTHLIB_INSECURE_TRANSPORT"] = "1"
             logger.warning(