When using OIDC, issuer is taken from issuer-uri instead of .well-known/openid-configuration #9410
Labels
status: declined
A suggestion or change that we don't feel we should currently apply
type: bug
A general bug
Steps to reproduce
Enter a correct
issuer-uri
in application.properties. Spring is able to connect to the.well-known/openid-configuration
endpoint. However, instead of using the issuer from the retrieved openid-configuration, the issuer from application.properties is used. This behavior seems odd. Isn't the point of retrieving the configuration to get the correct values?E.g., in my case I had entered the domain without a slash in
issuer-uri
and got an invalid iss claim exception because the claim in the token did include a slash. This slash was accurately reflected in the response from the openid-configuration.As a side note, JwtClaimValidator currently uses simple String equality. Perhaps domains with or without a trailing slash should be consirered equivalent. Although, the easy fix seems to be to keep the String equality and get the correct issuer value from the openid-configuration.
The text was updated successfully, but these errors were encountered: