-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error thrown when Domain of well.known and well.known Issuer value don't match #154
Comments
@JohnOffenhartz the spec section you're looking for is https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
We've seen this check regularly catch problems when users are referring to an provider through a DNS name alternative to the provider value. e.g. #121 What do the onelogin docs say in this case? Are they actually recommending using a value different then the issuer? What's the |
Closing because it's no obvious there's a bug on our end. Please comment if you have more info and we can re-open. |
We're running into an error because our Provider hosts multiple well.known endpoints, but they all share the same issuer.
Ex.
https://cogolabs.onelogin.com/oidc/.well-known/openid-configuration
Has an issuer of
"https://openid-connect.onelogin.com/oidc"
This
if p.Issuer != issuer
specific check ingo-oidc/oidc.go
Line 114 in a4973d9
We believe this is a bug because there's nothing in the OIDC spec that requires that these be on the same domain. The only requirement is that
The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
The text was updated successfully, but these errors were encountered: