-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The URL to discover and Issue need not be same #159
Comments
I'm running into the same issue. Would you be open to dropping that check or reviewing a patch that drops it @ericchiang ? |
[Resolves coreos#159]
Sorry for the delayed response, have been out of the office. Copying from a previous thread #154 (comment)
From my reading of the spec these values MUST match. |
Thanks @ericchiang! I think the relevant part of the spec is
Looks like there's a bug in the provider we're using--we'll resolve upstream. |
In my case, we are building infrastructure for the project and it makes it hard to implement public and private DNS resolutions to be the same. So basically we need a way of having correct issuer and at the same time openid-configuration should be resolvable in private. There are few ways to do this:
Would you consider to reopen this issue and accept PR with optional way to override wellknow URL? ASP.NET OIDC has option to override it - https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions.metadataaddress?view=aspnetcore-1.1#Microsoft_AspNetCore_Builder_OpenIdConnectOptions_MetadataAddress |
@chaliy #161 lets you construct a verifier without using https://godoc.org/github.com/coreos/go-oidc#NewRemoteKeySet This should allow you to do discovery yourself, then construct a verifier using the remote key set with whatever issuer you want. I think I prefer this over an option to |
Microsoft active directory multi-tenancy support requires an initial configuration url of https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration And responds with "common" end points and an issuer of https://login.microsoftonline.com/{tenantid}/v2.0 It's up to the application whether or not it cares to assert that the issuer in id tokens matches the template. In our case, it is a different part of the system which knows the valid issuers. A flag option to relax the check doesn't seem like an unreasonable ask and, while it solves this provider specific use case, doesn't require anything provider specific to do so. |
@robinbryce see #204 (comment) for some discussion of the Azure case. |
In Package oidc and compilation unit oidc.go, "NewProvider (" call implementation is looks wrong.
if p.Issuer != issuer {
return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
}
This code looks wrong to me. I am reading the OIDC discovery code and I dont see why the URL one provides should be the URL of the Issuer.
The text was updated successfully, but these errors were encountered: