auth-openshift: OIDC discovery issuer information must match the conf…

…igured issuer

pkg/auth/auth_openshift.go

@@ -96,8 +96,8 @@ func (o *openShiftAuth) getOIDCDiscoveryInternal(ctx context.Context) (*oidcDisc
 			wellKnownURL, err)
 	}
 
-	if err := validateAbsURL(metadata.Issuer); err != nil { // FIXME: must validate issuer == o.Issuer
-		return nil, err
+	if metadata.Issuer != o.issuerURL {
+		return nil, fmt.Errorf("discovery provided unexpected issuer URL (%s)", metadata.Issuer)
 	}
 
 	if err := validateAbsURL(metadata.Auth); err != nil {
@@ -108,19 +108,6 @@ func (o *openShiftAuth) getOIDCDiscoveryInternal(ctx context.Context) (*oidcDisc
 		return nil, err
 	}
 
-	// Make sure we can talk to the issuer endpoint.
-	req, err = http.NewRequest(http.MethodHead, metadata.Issuer, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	resp, err = o.getClient().Do(req.WithContext(ctx))
-	if err != nil {
-		return nil, fmt.Errorf("request to OAuth issuer endpoint %s failed: %v",
-			metadata.Token, err)
-	}
-	defer resp.Body.Close()
-
 	return metadata, nil
 }