Error thrown when Domain of well.known and well.known Issuer value don't match

[JohnOffenhartz]

We're running into an error because our Provider hosts multiple well.known endpoints, but they all share the same issuer.

Ex. https://cogolabs.onelogin.com/oidc/.well-known/openid-configuration
Has an issuer of "https://openid-connect.onelogin.com/oidc"

This if p.Issuer != issuer specific check in

go-oidc/oidc.go

Line 114 in a4973d9

if p.Issuer != issuer {

is throwing an error because of the mismatch.

We believe this is a bug because there's nothing in the OIDC spec that requires that these be on the same domain. The only requirement is that The issuer returned by discovery MUST exactly match the value of iss in the ID Token.

[ericchiang]

@JohnOffenhartz the spec section you're looking for is https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

We've seen this check regularly catch problems when users are referring to an provider through a DNS name alternative to the provider value. e.g. #121

What do the onelogin docs say in this case? Are they actually recommending using a value different then the issuer? What's the iss field for ID tokens issued for this provider?

[ericchiang]

Closing because it's no obvious there's a bug on our end. Please comment if you have more info and we can re-open.