Using Membership Service Behind Authentication Layer

Last updated: April 23, 2025

When deploying Formance CloudPrem with an authentication layer in front of public URLs, special consideration is needed for the Membership service configuration.

Understanding the Limitation

While it might seem logical to use internal Kubernetes service URLs instead of public URLs for Membership configuration, this approach won't work due to OpenID Connect (OIDC) specification requirements. The OIDC specification mandates that the issuer URL in the discovery response must match the hostname of the query.

Solution

Instead of using internal service URLs, you should:

  1. Keep the public URL configuration for the Membership service

  2. Add a whitelist rule in your authentication layer to allow calls originating from within your infrastructure

Example: If your Membership service is accessed at https://example-membership.company.com, maintain this URL in the configuration and adjust your authentication layer to allow internal infrastructure calls to this endpoint.

Why This Approach is Necessary

The OIDC discovery endpoint returns a response containing various URLs, including the issuer URL. Security rules require that the issuer URL matches the hostname used to query the service. Using internal Kubernetes service URLs would cause a mismatch, preventing the Membership service from starting correctly.