OpenID Connect: ensure consistent issuer URL

root_url does not know the right protocol in all contexts, some clients are strict when validating this.
diaspora · Oct 24, 2020 · 0aba20f · 0aba20f
1 parent d27cd17
commit 0aba20f
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/app/controllers/api/openid_connect/discovery_controller.rb b/app/controllers/api/openid_connect/discovery_controller.rb
@@ -28,7 +28,7 @@ module OpenidConnect
     class DiscoveryController < ApplicationController
       def configuration
         render json: OpenIDConnect::Discovery::Provider::Config::Response.new(
-          issuer:                                      root_url,
+          issuer:                                      AppConfig.environment.url,
           registration_endpoint:                       api_openid_connect_clients_url,
           authorization_endpoint:                      new_api_openid_connect_authorization_url,
           token_endpoint:                              api_openid_connect_access_tokens_url,

diff --git a/lib/api/openid_connect/id_token.rb b/lib/api/openid_connect/id_token.rb
@@ -53,7 +53,7 @@ def to_response_object(options={})
       def claims
         sub = build_sub
         @claims ||= {
-          iss:       Rails.application.routes.url_helpers.root_url,
+          iss:       AppConfig.environment.url,
           sub:       sub,
           aud:       @authorization.o_auth_application.client_id,
           exp:       @expires_at.to_i,

diff --git a/spec/controllers/api/openid_connect/discovery_controller_spec.rb b/spec/controllers/api/openid_connect/discovery_controller_spec.rb
@@ -8,7 +8,7 @@
 
     it "should have the issuer as the root url" do
       json_body = JSON.parse(response.body)
-      expect(json_body["issuer"]).to eq(root_url)
+      expect(json_body["issuer"]).to eq(AppConfig.environment.url)
     end
 
     it "should have the appropriate user info endpoint" do