Describe the bug
In oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java the following assertion seems not-compliant with the OpenID discovery specs defined in https://openid.net/specs/openid-connect-discovery-1_0.html.
private static ClientRegistration.Builder withProviderConfiguration(...) {
String metadataIssuer = metadata.getIssuer().getValue();
Assert.state(issuer.equals(metadataIssuer),
() -> "The Issuer \"" + metadataIssuer + "\" provided in the configuration metadata did "
+ "not match the requested issuer \"" + issuer + "\"");
...
}
The specs define in section Section 3. OpenID Provider Metadata :
issuer
REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
In our case we have - no Webfinger Issuer discovery - ID tokens issued by iss=https://idp.iamfas.int.belgium.be/fas/oauth2 - our .well-known/openid-configuration is hosted an another dns name https://iamapps-public.int.belgium.be/.well-known/openid-configuration which returns :
{
...
"issuer": "https://idp.iamfas.int.belgium.be/fas/oauth2",
...
}
I think the assertion should simply be removed because nothing seems to be mentioned in the specs on the DNS name on which .well-known/openid-configuration can be hosted.
To Reproduce See above description.
Expected behavior It should be allowed to have a DNS name on which .well-known/openid-configuration is hosted different from the value specified by the returned issuer field.
Sample
None available (above description is sufficient).
Comment From: jgrandja
@dtoch The current implementation is correct. Can you provide more details. Please debug and provide the issuer value being passed into ClientRegistrations.fromOidcIssuerLocation() and the issuer claim in the Provider Configuration response.
Comment From: dtoch
In application.yml I have :
spring:
security:
oauth2:
client:
provider:
fas:
issuer-uri: https://iamapps-public.int.belgium.be
registration:
fas:
client-id: BOSA-PGA_IAF_HIL
client-secret: CONFIDENTIAL
The error we get is :
Caused by: java.lang.IllegalStateException: The Issuer "https://idp.iamfas.int.belgium.be/fas/oauth2" provided in the configuration metadata did not match the requested issuer "https://iamapps-public.int.belgium.be"
The problem in the spring-security code is that above will retrieve the OIDC metadata from https://iamapps-public.int.belgium.be/.well-known/openid-configuration (this URL is public so you can access it too) but in the JSON response the "issuer" field is https://idp.iamfas.int.belgium.be/fas/oauth2 . In the spring-security code the DNS name of where the metadata are retrieved from (iamapps-public.int.belgium.be) has to be exactly equal to the issuer (https://idp.iamfas.int.belgium.be/fas/oauth2) ... but the OpenID Discovery specs (https://openid.net/specs/openid-connect-discovery-1_0.html) don't enforce this constraint.
Comment From: jgrandja
@dtoch Please see Section 4.3. OpenID Provider Configuration Validation:
The
issuervalue returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information
I'm going to close this as the current validation is correct.