Open ID Connect issuer URI "cleanup" before discovery breaks issuer URI matching

[denisw]

Summary

When doing OpenID Connect issuer discovery, Spring Security removes any trailing slash from the issuer URI before appending /.well-known/openid-configuration, as mandated by the spec. However, after having fetched the configuration, the the returned configuration's issuer URI matched against the "cleaned up" version of the issue URI, rather than the the originally provided one.

This is problematic if the canonical issuer URI has a trailing space (e.g., https://auth.example.com/).

Actual Behavior

java.lang.IllegalStateException: The Issuer "https://auth.example.com/" provided in the OpenID Configuration did not match the requested issuer "https://auth.example.com"

Note that the "requested issuer" always lacks the trailing slash, even if it was explicitly specified with trailing slash in the configuration.

Expected Behavior

No error, as the issuer URI returned by the configuration endpoint and the one provided in the application configuration are actually the same.

Details

OAuth2ClientPropertiesRegistrationAdapter.java has the following code:

String issuer = provider.getIssuerUri();
if (issuer != null) {
    String cleanedIssuer = cleanIssuerPath(issuer);
    Builder builder = ClientRegistrations
            .fromOidcIssuerLocation(cleanedIssuer)
            .registrationId(registrationId);
    return getBuilder(builder, provider);
}

And in fromOidcIssuerLocation():

String openidConfiguration = getOpenidConfiguration(issuer);
OIDCProviderMetadata metadata = parse(openidConfiguration);
String metadataIssuer = metadata.getIssuer().getValue();
if (!issuer.equals(metadataIssuer)) {
    throw new IllegalStateException("The Issuer \"" + metadataIssuer + "\" provided in the OpenID Configuration did not match the requested issuer \"" + issuer + "\"");
}

Because fromOidcIssuerLocation() doesn't know about the originally provided issuer URL, it matches against the cleanedIssuer, which causes the described problem. The easiest way to solve that is to do the cleanup within fromOidcIssuerLocation(), which then still has the original version available for matching.

[jgrandja]

Thanks for the report @denisw! This should be resolved via spring-boot#15324.

Are you able to test it with Boot 2.1.2 snapshot? Or you can wait until this Friday when Boot 2.1.2 will be released.

I'll leave this open until you confirm it's been fixed.

[denisw]

@jgrandja Thanks for the quick reply! Things work perfectly with the 2.1.2 snapshot. 😃 I will close the issue now.