fix: new odic.Provider for apple with insecure issuer url context (#2055)

hf · web-flow · commit 23d69f1c450b · 2025-06-11T06:57:10.000+02:00
Apple's ID tokens sometimes say `https://appleid.apple.com` but the well-known URL returns that the issuer should be `https://account.apple.com`.
diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
@@ -127,7 +127,12 @@ func (p *IdTokenGrantParams) getProvider(ctx context.Context, config *conf.Globa
 		return nil, false, "", nil, apierrors.NewBadRequestError(apierrors.ErrorCodeProviderDisabled, fmt.Sprintf("Provider (issuer %q) is not enabled", issuer))
 	}
 
-	oidcProvider, err := oidc.NewProvider(ctx, issuer)
+	oidcCtx := ctx
+	if providerType == "apple" {
+		oidcCtx = oidc.InsecureIssuerURLContext(ctx, issuer)
+	}
+
+	oidcProvider, err := oidc.NewProvider(oidcCtx, issuer)
 	if err != nil {
 		return nil, false, "", nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,12 @@ func (p IdTokenGrantParams) getProvider(ctx context.Context, config conf.Globa`
`127`	`127`	`return nil, false, "", nil, apierrors.NewBadRequestError(apierrors.ErrorCodeProviderDisabled, fmt.Sprintf("Provider (issuer %q) is not enabled", issuer))`
`128`	`128`	`}`
`129`	`129`
`130`		`- oidcProvider, err := oidc.NewProvider(ctx, issuer)`
	`130`	`+ oidcCtx := ctx`
	`131`	`+ if providerType == "apple" {`
	`132`	`+ oidcCtx = oidc.InsecureIssuerURLContext(ctx, issuer)`
	`133`	`+ }`
	`134`	`+`
	`135`	`+ oidcProvider, err := oidc.NewProvider(oidcCtx, issuer)`
`131`	`136`	`if err != nil {`
`132`	`137`	`return nil, false, "", nil, err`
`133`	`138`	`}`