Multiple Providers MetaDataURL validation

[OlivierBOEL]

Hello,

I have followed this wiki [1] and successfully configured multiple Providers.
However, I'm facing an issue with a particular provider because the issuer validation fails [2]; indeed, there is a discrepancy between MetaDataURL (https://host:port/A/B/C/D/.well-known/openid-configuration) and issuer (https://host:port/A/B).
Is there any way to disable issuer validation?
I tried "OIDCValidateIssuer Off" with no luck (it's about id_token, not MetaaDataURL).
Any idea?

Thanks,

Olivier

[1] https://github.com/OpenIDC/mod_auth_openidc/wiki/Multiple-Providers

[2]

mod_auth_openidc/src/metadata.c

Lines 253 to 262 in f47d819

	/* check that the issuer matches */
	if (issuer != NULL) {
	if (oidc_util_issuer_match(issuer, s_issuer) == FALSE) {
	oidc_error(r,
	"requested issuer (%s) does not match the \"" OIDC_METADATA_ISSUER
	"\" value in the provider metadata file: %s",
	issuer, s_issuer);
	return FALSE;
	}
	}

[zandbelt]

you should able to rename the <issuer>.* files in the metadata directory for this provider so they match the issuer

[OlivierBOEL]

Thanks for the very quick reply, Hans!

Unfortunately, if I rename host:port/A/B/C/D (URL encoded) into host:port/A/B, OpenIDC module faiils to retrieve MetaData because https://host:port/A/B/.well-known/openid-configuration does not exist.
Did I miss something?

Thanks,

Olivier

[OlivierBOEL]

I forgot to mention that this host:port/A/B/C/D (URL encoded) .provider file is initially empty.
So, on first request involving this provider, the file is automatically populated by fetching https://host:port/A/B/C/D/.well-known/openid-configuration (which is a nice feature). Unfortunately, this step fails because isssuer in MetaDataURL (https://host:port/A/B) does not match the expected value (https://host:port/A/B/C/D).
That's what I would like to get around.
At the moment, as workaround, I manually populated host:port/A/B.provider from https://host:port/A/B/C/D/.well-known/openid-configuration.

Thanks again!

[zandbelt]

that is indeed the workaround that I was suggesting as well: just manually populate host:port/A/B.provider ; you should not see any attempt to pull in the metadata again, assuming you're using the correct issuer name in whatever mechanism you use to trigger SSO to it

[OlivierBOEL]

Thanks for the reply, Hans!
Would you consider extending "OIDCValidateIssuer Off" to MetaDataURL issuer validation in a future release? This would allow to avoid manual population of the provider file.
Thanks in advance!

[zandbelt]

not really: it would break OpenID Connect certification conformance; it is really the provider that is at fault here, it does not conform to the OpenID Connect Discovery spec and should be fixed; moreover, rather than using the wrong issuer, arguably it publishes the metadata at the wrong endpoint; the workaround is quite suitable here, it does not make any difference after the initial retrieval; also, I will consider removing support for OIDCValidateIssuer Off in the future as the time that mod_auth_openidc needs to adapt to broken providers is history by now

[OlivierBOEL]

Thank you very much for the support!

[OlivierBOEL]

It seems this Issuer check is not implemented when processing OIDCProviderMetadataURL.
Am I right?
If so, could you explain why?

[zandbelt]

because that is a static configuration pointing to a "custom metadata location" whereas in the multiple provider setup (designed for dynamic client registration btw.) there's a relationship between the metadata location and the issuer that an attacker could abuse

you could also set the individual OIDCProvider* primitives, same reasoning