When using OIDC, issuer is taken from issuer-uri instead of .well-known/openid-configuration

[nyvelius]

Steps to reproduce

Enter a correct issuer-uri in application.properties. Spring is able to connect to the .well-known/openid-configuration endpoint. However, instead of using the issuer from the retrieved openid-configuration, the issuer from application.properties is used. This behavior seems odd. Isn't the point of retrieving the configuration to get the correct values?

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://domain

E.g., in my case I had entered the domain without a slash in issuer-uri and got an invalid iss claim exception because the claim in the token did include a slash. This slash was accurately reflected in the response from the openid-configuration.

---

As a side note, JwtClaimValidator currently uses simple String equality. Perhaps domains with or without a trailing slash should be consirered equivalent. Although, the easy fix seems to be to keep the String equality and get the correct issuer value from the openid-configuration.

[jzheaux]

Thanks for the suggestion, @nyvelius.

This feature is working as designed. The OIDC Discovery spec states that the issuer field needs to be identical to the issuer used to request the configuration:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

Also, it seems that changing the issuer-uri property in your application to the matching value is straightforward.

Given these, I'm hesitant to change the current behavior.