[Bug]: Tenant Issuer configuration does not follow the OIDC specification

[maciejwisniowski]

What happened?

The issuer field for the Tenant has a misleading information regarding the issuer field value:

The named issuer used to sign tokens, this is generally your public fully qualified domain, e.g. fusionauth.io

while the OIDC specification (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata), states that:

REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

This causes issues e.g. with openid-client's client.discovery(...) throwing hard to debug INVALID URL error as it tries to convert it to URL object: https://github.com/panva/oauth4webapi/blob/10d46924fca362f3106c2bb689a178b21b0e3157/src/index.ts#L1328

It is easy to just use https:// with the field but it is hard to find out the problem.

Forums topic: https://fusionauth.io/community/forum/topic/2854/tenant-issuer-configuration-might-not-follow-the-oidc-specification?_=1741940426536

Version

1.54.0

Affects Versions

<=1.54.0

Alternatives / Workarounds

It is possible to just edit the field value to be like https://fusionauth.io.

[mooreds]

Hi @maciejwisniowski !

When you say:

The issuer field for the Tenant has a misleading information regarding the issuer field value

Where are you finding it? I think we updated the docs in the core concepts under FusionAuth/fusionauth-site#3486 but maybe we missed something.

Can you provide details on where you see the message?

[maciejwisniowski]

It is in the tooltip in the admin panel:

[mooreds]

Awesome, thanks for clarifying.