You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We believe this is a bug because there's nothing in the OIDC spec that requires that these be on the same domain. The only requirement is that The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
The text was updated successfully, but these errors were encountered:
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.
We've seen this check regularly catch problems when users are referring to an provider through a DNS name alternative to the provider value. e.g. #121
What do the onelogin docs say in this case? Are they actually recommending using a value different then the issuer? What's the iss field for ID tokens issued for this provider?
We're running into an error because our Provider hosts multiple well.known endpoints, but they all share the same issuer.
Ex.
https://cogolabs.onelogin.com/oidc/.well-known/openid-configuration
Has an issuer of
"https://openid-connect.onelogin.com/oidc"
This
if p.Issuer != issuer
specific check ingo-oidc/oidc.go
Line 114 in a4973d9
We believe this is a bug because there's nothing in the OIDC spec that requires that these be on the same domain. The only requirement is that
The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
The text was updated successfully, but these errors were encountered: