issuer in discovery document contains trailing '/'

[leo-baltus]

Describe the bug
Setting urls.self.issuer in the configuration without a trailing slash results in the issuer being advertised in the discovery document with a trailing slash. As clients need to validate this information it should be deterministic.

Reproducing the bug

docker run -p 4444:4444 \
    -e URLS_SELF_ISSUER=https://auth.example.com \
    -e DSN=memory \
    oryd/hydra:v1.0.0-rc.16 serve all --dangerous-force-http

curl -s localhost:4444/.well-known/openid-configuration | jq .issuer
"https://auth.example.com/"

I expected "https://auth.example.com"

Server logs

time="2019-06-25T11:44:32Z" level=warning msg="HTTPS disabled. Never do this in production."
time="2019-06-25T11:44:36Z" level=info msg="started handling request" method=GET remote="172.17.0.1:40196" request=/.well-known/openid-configuration
time="2019-06-25T11:44:36Z" level=info msg="completed handling request" measure#hydra/public: https://auth.example.com/.latency=814000 method=GET remote="172.17.0.1:40196" request=/.well-known/openid-configuration status=200 text_status=OK took="814µs"

Additional context
Other OP's:

curl -s https://accounts.google.com/.well-known/openid-configuration | jq .issuer
"https://accounts.google.com"

Okta https://developer.okta.com/docs/reference/api/oidc/#response-example-success-6

Only auth0 seems to add a trailing slash as far as I can see.

When migrating to hydra I would like to avoid reconfiguring all clients.

[aeneasr]

Dupe of #1041

[leo-baltus]

I see. The point is that the '/' addition cannot be undone. If I wanted a trailing slash I could have said so in the configuration.

[aeneasr]

I don't understand the problem, to be honest. The issuer value is advertised in .well-known/openid-configuration and oidc compliant clients should adhere to the issuer value from there. It therefore should not matter if there's a trailing slash or not.

[leo-baltus]

The client should verify the issuer. If you have existing clients, with some OP that does not state the trailings slash and migrate to Hydra, verification fails because of this.
Edit: removed some wording, didn't mean to give the wrong impression, sorry about that.

[aeneasr]

Again, the issuer url should be fetched from /.well-known/openid-configuration and not be hardcoded. You point your client to e.g. https://foo/.well-known/openid-configuration and then you point it to https://bar/.well-known/openid-configuration�. The client fetches the issuer value for verification from that JSON Payload.

Additionally, this allows the OP to update the configuration (e.g. new issuer url) without having to update all of the clients by hand.

If the clients consuming your OP are oidc conformant, they should verify the ID Token using that mechanism. That is the whole point of OIDC Dynamic Discovery.

[leo-baltus]

How would the client know about https://bar/.well-known/openid-configuration ? So far I am assuming updating the OP should be an in-place replacement.

The error I was facing was this from line:
https://github.com/coreos/go-oidc/blob/8ae1da518bd4d9d5a5909090a184af30f336436d/oidc.go#L124

[leo-baltus]

Maybe superfluous, but from https://tools.ietf.org/html/draft-ietf-oauth-discovery-01#section-5

   By default, for historical reasons, unless an application-specific
   well-known URI path suffix is registered and used for an application,
   the client for that application SHOULD use the well-known URI path
   suffix "openid-configuration" and publish the metadata document at
   the path formed by concatenating "/.well-known/openid-configuration"
   to the authorization server's issuer identifier.  As described in
   Section 5, despite the identifier
   "/.well-known/openid-configuration", appearing to be OpenID-specific,
   its usage in this specification is actually referring to a general
   OAuth 2.0 feature that is not specific to OpenID Connect.

I conclude that the '/' is part of the .well-known part, not the issuer.

[aeneasr]

How would the client know about https://bar/.well-known/openid-configuration ? So far I am assuming updating the OP should be an in-place replacement.

It's a standard. go-oidc uses that endpoint: https://github.com/coreos/go-oidc/blob/8ae1da518bd4d9d5a5909090a184af30f336436d/oidc.go#L97

The error I was facing was this from line:
https://github.com/coreos/go-oidc/blob/8ae1da518bd4d9d5a5909090a184af30f336436d/oidc.go#L124

The CoreOS client apparently uses the parameter to initialize the client with that issuer value, and compares it with the value from openid-configuration. If they mismatch, it throws an error. This is a choice by the library, not by the OpenID Connect specification. Please contact the maintainers to allow small mismatches in the configuration, such as a missing trailing slash.

I conclude that the '/' is part of the .well-known part, not the issuer.

That conclusion is unfortunately wrong and also stems from OAuth 2.0 Discovery, which is unrelated to OpenID Connect.

I'm closing this because we won't change the behavior in this system for the points made above. As stated in the other issue, not enforcing the trailing (or not) slash causes even more confusion with developers and punishes small mistakes (like forgetting the trailing slash in some config) severely with hour-long debugging sessions due to a small typo.

[aeneasr]

fwiw coreos/go-oidc#203

[aeneasr]

The issuer URL used to retrieve the OpenID Configuration Discovery must be equal to the one returned by the discovery document. We could therefore add an option to append or strip trailing slashes in the configuration item. This is required because we would introduce a breaking change to existing deployments and must therefore keep existing behavior as is.

[vinckr]

Does this #2014 close this issue? @tacurran @k9ert

[aeneasr]

No!

[diefans]

anything new about this?

[github-actions]

I am marking this issue as stale as it has not received any engagement from the community or maintainers in over half a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas how you could contribute towards resolving it;
• open a new issue with updated details and a plan on resolving the issue.

We are cleaning up issues every now and then, primarily to keep the 4000+ issues in our backlog in check and to prevent maintainer burnout. Burnout in open source maintainership is a widespread and serious issue. It can lead to severe personal and health issues as well as enabling catastrophic attack vectors.

Thank you for your understanding and to anyone who participated in the issue! 🙏✌️

If you feel strongly about this issues and have ideas on resolving it, please comment. Otherwise it will be closed in 30 days!

[aeneasr]

Marked as stale in error.

[gabricar]

Any chance that 1.11.x gets this fix?