Issuer url is allways fallowed by / even when defined without

[bbulczynski]

Please give it a look, cosmetic issue
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
Issuer url on iss claim on idToken and accessToken is always finished with "/" sign, same thing with issuer value on /.well-known/openid-configuration.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
0. Based on 5 minute tutorial config

1. Set OAUTH2_ISSUER_URL issuer parameter value for Hydra to http://localhost:4444
2. Start Hydra
3. go to /.well-known/openid-configuration and check issuer, it contains http://localhost:4444/
4. check idToken and accessToken claim iss contains value http://localhost:4444/

What is the expected behavior?
Issuer value should be used as it is defined. In this example it should be: http://localhost:4444

Which version of the software is affected?
V 1.0.0-beta.8 and V 1.0.0-beta.9

[aeneasr]

This is intended behavior. First of all, there is no difference between http://localhost:4444 and http://localhost:4444/. But there is a difference between http://localhost:4444/foo and http://localhost:4444/foo/. The second is a path, the first is a file. The authorization server is a collection of things (path).

Unless there is a proper issue with this (which I'm sure there isn't), this will not change.

[bbulczynski]

Ok, I understand your point of view. I understand functional diference between those urls, still... when you share url without path part the convention is to ommit singular / sign. Look at what OpenID Connect has to say about issuer identifier

16.15. Issuer Identifier

OpenID Connect supports multiple Issuers per Host and Port combination. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.

OpenID Connect treats the path component of any Issuer URI as being part of the Issuer Identifier. For instance, the subject "1234" with an Issuer Identifier of "https://example.com" is not equivalent to the subject "1234" with an Issuer Identifier of "https://example.com/sales".

It is RECOMMENDED that only a single Issuer per host be used. However, if a host supports multiple tenants, multiple Issuers for that host may be needed.

even the spec is giving example without trailing /

also same spec at Terminoogy part states that path part is optional and your decision makes it obligatory in at least "/" form

Issuer Identifier
Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

Please reconsider distinguishing behavior when issuer is defined with and without path part in uri.

[aeneasr]

The examples are just that, examples. But the bigger question is, why do you care and why is this a problem? Is there a client library that expects this to not have a trailing slash?

Streamlining the little things (like this) is extremely important. Let's assume you run two instances with equal configs but forget to add the / to one of the configs. Now tokens from instance A can not be verified by some clients because they expect a trailing slash.

Removing this would not improve the product, it would degrade developer experience (making it easier to make simple mistakes). Unless there's a proper issue here, again, this is expected and will not be changed.

[nyvelius]

It seems some frameworks (e.g. Spring Security 2.4.2) don't take take the issuer from openid-configuration, but from the url used to call the openid-configuration endpoint.

spring-projects/spring-security#9410