Issuer should not support path component

[jgrandja]

The issuer setting, if supplied via AuthorizationServerSettings.getIssuer(), should not support a path component.

With the current and all previous versions, if AuthorizationServerSettings.getIssuer() was explicitly set with https://provider.com/issuer1, the protocol endpoint URI's returned by OidcProviderConfigurationEndpointFilter and OAuth2AuthorizationServerMetadataEndpointFilter would all be incorrect. For example, token_endpoint would be https://provider.com/issuer1/oauth2/token, which would not resolve for the client since the token endpoint matches on /oauth2/token (by default) and not /issuer1/oauth2/token.

This fix should add a validation preventing a path component for issuer.

NOTE: The path component enables supporting multiple issuers per host for multi-tenant configurations. This enhancement request is being tracked in gh-1342.

Related gh-1419 gh-1416

[wheredoipressnow]

Hello @jgrandja, could you please elaborate on how to deal with an authorization server that has server.servlet.context-path configured? With this change the metadata no longer contains the correct path.

[rd-marc-lehnert]

Hello @jgrandja, we just tried to upgrade our authorization server which is behind a proxy under a different path with the
issuer: https://server.domain/auth and a reverse proxy pointing https://server.domain/auth to http://backend-service. This setup now no longer works because the server does not start (Path component for issuer (...) is currently not supported). This prevents us from upgrading to Version 1.2.

[jonkjenn]

We also are affected by this and have to find a workaround to be able to upgrade. We currently hard code paths like this.

    AuthorizationServerSettings.builder()
            .issuer(issuer)
            .authorizationEndpoint("$basePath/oauth2/auth")
            .tokenEndpoint("$basePath/oauth2/token")
            .jwkSetEndpoint("$basePath/.well-known/jwks.json")

[jgrandja]

@rd-marc-lehnert @jonkjenn I'm not sure how you were even able to get it working with a path component? As mentioned in the main issue:

With the current and all previous versions, if AuthorizationServerSettings.getIssuer() was explicitly set with https://provider.com/issuer1, the protocol endpoint URI's returned by OidcProviderConfigurationEndpointFilter and OAuth2AuthorizationServerMetadataEndpointFilter would all be incorrect. For example, token_endpoint would be https://provider.com/issuer1/oauth2/token, which would not resolve for the client since the token endpoint matches on /oauth2/token (by default) and not /issuer1/oauth2/token.

If you apply the patch issuer-path.patch to main, you will see that the default-authorizationserver sample does not work. Try accessing http://localhost:9000/auth/.well-known/openid-configuration and you will get a 404.

issuer-path.patch

However, if you require a path component in your current setup, then you can configure server.servlet.context-path to achieve the same. If you apply the patch context-path.patch to main, you will be able to access http://localhost:9000/auth/.well-known/openid-configuration and the issuer identifier will dynamically resolve to http://localhost:9000/auth.

context-path.patch

Hope this helps?

[rd-marc-lehnert]

Hi @jgrandja ,thanks for the hints, I will try that on Monday. Regarding your question how we got it working: sure, standalone the uris might be inconsistent. What matters is the outside perspective with the proxy in place. And this way everything works properly.