How-to: Correctly setup issuer - how does it work with well-known ?

[colin-riddell]

It would be nice to get a guide on how the issuer works and gotchas to look out for. Eg not clear to me if the issuer actually reads from the given url's well-known location?

Related: #499

[jgrandja]

@colin-riddell This seems more of a question that a guide. Can you please provide more details on what you are looking for?

[colin-riddell]

I've had to figure out what the effect of configuring the issuer is just by trying it out and slowly finding out that, for example, the resource server tries to match its issuer against the authorization server's configured issuer and if they mismatch then it doesn't allow the resource server to start.

On reflection this is maybe more of a suggestion to include something in the documentation on the issuer. Unless this is already documented somewhere ?

[jgrandja]

@colin-riddell There is no documentation at the moment but we're starting it. I'll leave this open and we'll document it.

[everflux]

It would be great, if the location of the metadata could be configured.
I am aware that the "/.well-known" path is indeed named that way for a reason. I have a scenario where I need to decide to either change the servlet context-path or use a reverse proxy to work around the currently hardcoded metadata location in OAuth2AuthorizationServerMetadataEndpointFilter, OidcProviderConfigurationEndpointFilter and OAuth2AuthorizationServerConfigurer

[jgrandja]

@colin-riddell I still feel the comments you provided are more questions than a How-to guide.

We have documented OpenID Connect 1.0 Provider Configuration Endpoint and OAuth2 Authorization Server Metadata Endpoint. Each of the sections reference the relevant specifications so you can review them further to gain a deeper understanding of issuer.

I'm going to close this but if you have something more specific that needs documenting please comment here and we can discuss further.