fix: support issuer with and without trailing slash

BREAKING CHANGE: The `iss` (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config. Setting ```yaml urls: self: issuer: https://auth.example.com ``` has changed ```patch - "iss": "https://auth.example.com/" + "iss": "https://auth.example.com" ``` To set a trailing slash make sure to set it in the config value: ```yaml urls: self: issuer: https://auth.example.com/ ``` Closes #1482
ory · Sep 7, 2022 · d746fa4 · d746fa4
1 parent 1ab345b
commit d746fa4
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 16 deletions.
diff --git a/driver/config/provider.go b/driver/config/provider.go
@@ -314,9 +314,7 @@ func (p *DefaultProvider) PublicURL(ctx context.Context) *url.URL {
 }
 
 func (p *DefaultProvider) IssuerURL(ctx context.Context) *url.URL {
-	issuerURL := p.getProvider(ctx).RequestURIF(KeyIssuerURL, p.fallbackURL(ctx, "/", p.host(PublicInterface), p.port(PublicInterface)))
-	issuerURL.Path = strings.TrimRight(issuerURL.Path, "/") + "/"
-	return urlRoot(issuerURL)
+	return p.getProvider(ctx).RequestURIF(KeyIssuerURL, p.fallbackURL(ctx, "/", p.host(PublicInterface), p.port(PublicInterface)))
 }
 
 func (p *DefaultProvider) OAuth2ClientRegistrationURL(ctx context.Context) *url.URL {

diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
@@ -154,7 +154,7 @@ func TestProviderIssuerURL(t *testing.T) {
 	l.Logrus().SetOutput(ioutil.Discard)
 	p := MustNew(context.Background(), l)
 	p.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
-	assert.Equal(t, "http://hydra.localhost/", p.IssuerURL(ctx).String())
+	assert.Equal(t, "http://hydra.localhost", p.IssuerURL(ctx).String())
 
 	p2 := MustNew(context.Background(), l)
 	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost/")
@@ -169,7 +169,7 @@ func TestProviderIssuerPublicURL(t *testing.T) {
 	p.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
 	p.MustSet(ctx, KeyPublicURL, "http://hydra.example")
 
-	assert.Equal(t, "http://hydra.localhost/", p.IssuerURL(ctx).String())
+	assert.Equal(t, "http://hydra.localhost", p.IssuerURL(ctx).String())
 	assert.Equal(t, "http://hydra.example/", p.PublicURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p.JWKSURL(ctx).String())
 	assert.Equal(t, "http://hydra.example/oauth2/fallbacks/consent", p.ConsentURL(ctx).String())
@@ -180,7 +180,7 @@ func TestProviderIssuerPublicURL(t *testing.T) {
 	assert.Equal(t, "http://hydra.example/userinfo", p.OIDCDiscoveryUserinfoEndpoint(ctx).String())
 
 	p2 := MustNew(context.Background(), l)
-	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
+	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost/")
 	assert.Equal(t, "http://hydra.localhost/", p2.IssuerURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/", p2.PublicURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p2.JWKSURL(ctx).String())
@@ -283,7 +283,7 @@ func TestViperProviderValidates(t *testing.T) {
 	assert.Equal(t, []string{"whatever"}, c.DefaultClientScope(ctx))
 
 	// urls
-	assert.Equal(t, urlx.ParseOrPanic("https://issuer/"), c.IssuerURL(ctx))
+	assert.Equal(t, urlx.ParseOrPanic("https://issuer"), c.IssuerURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://public/"), c.PublicURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://login/"), c.LoginURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://consent/"), c.ConsentURL(ctx))

diff --git a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json
@@ -1,5 +1,5 @@
 {
-  "issuer": "http://hydra.localhost/",
+  "issuer": "http://hydra.localhost",
   "authorization_endpoint": "http://hydra.localhost/oauth2/auth",
   "registration_endpoint": "http://client-register/registration",
   "token_endpoint": "http://hydra.localhost/oauth2/token",

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -237,7 +237,7 @@ func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	h.r.Writer().Write(w, r, &WellKnown{
-		Issuer:                                 strings.TrimRight(h.c.IssuerURL(r.Context()).String(), "/") + "/",
+		Issuer:                                 h.c.IssuerURL(r.Context()).String(),
 		AuthURL:                                h.c.OAuth2AuthURL(r.Context()).String(),
 		TokenURL:                               h.c.OAuth2TokenURL(r.Context()).String(),
 		JWKsURI:                                h.c.JWKSURL(r.Context()).String(),
@@ -506,7 +506,7 @@ func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ ht
 		Username:          session.GetUsername(),
 		Extra:             session.Extra,
 		Audience:          audience,
-		Issuer:            strings.TrimRight(h.c.IssuerURL(ctx).String(), "/") + "/",
+		Issuer:            h.c.IssuerURL(ctx).String(),
 		ObfuscatedSubject: obfuscated,
 		TokenType:         resp.GetAccessTokenType(),
 		TokenUse:          string(resp.GetTokenUse()),
@@ -616,7 +616,7 @@ func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		session.ClientID = accessRequest.GetClient().GetID()
 		session.KID = accessTokenKeyID
-		session.DefaultSession.Claims.Issuer = strings.TrimRight(h.c.IssuerURL(r.Context()).String(), "/") + "/"
+		session.DefaultSession.Claims.Issuer = h.c.IssuerURL(r.Context()).String()
 		session.DefaultSession.Claims.IssuedAt = time.Now().UTC()
 
 		var scopes = accessRequest.GetRequestedScopes()
@@ -749,9 +749,8 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 
 	authorizeRequest.SetID(session.ID)
 	claims := &jwt.IDTokenClaims{
-		Subject: obfuscatedSubject,
-		Issuer:  strings.TrimRight(h.c.IssuerURL(ctx).String(), "/") + "/",
-
+		Subject:                             obfuscatedSubject,
+		Issuer:                              h.c.IssuerURL(ctx).String(),
 		AuthTime:                            time.Time(session.AuthenticatedAt),
 		RequestedAt:                         session.RequestedAt,
 		Extra:                               session.Session.IDToken,

diff --git a/oauth2/introspector_test.go b/oauth2/introspector_test.go
@@ -137,7 +137,7 @@ func TestIntrospectorSDK(t *testing.T) {
 					assert.Equal(t, "alice", c.Sub)
 					assert.Equal(t, now.Add(time.Hour).Unix(), c.Exp, "expires at")
 					assert.Equal(t, now.Unix(), c.Iat, "issued at")
-					assert.Equal(t, "https://foobariss/", c.Iss, "issuer")
+					assert.Equal(t, "https://foobariss", c.Iss, "issuer")
 					assert.Equal(t, map[string]interface{}{"foo": "bar"}, c.Ext)
 				},
 			},
@@ -151,7 +151,7 @@ func TestIntrospectorSDK(t *testing.T) {
 					assert.Equal(t, "alice", c.Sub)
 					assert.Equal(t, now.Add(time.Hour).Unix(), c.Exp, "expires at")
 					assert.Equal(t, now.Unix(), c.Iat, "issued at")
-					assert.Equal(t, "https://foobariss/", c.Iss, "issuer")
+					assert.Equal(t, "https://foobariss", c.Iss, "issuer")
 					assert.Equal(t, map[string]interface{}{"foo": "bar"}, c.Ext)
 				},
 			},