oidcauthextension - do not verify issuer and issuer_url match

[hwrdthdck]

Component(s)

extension/oidcauth

Is your feature request related to a problem? Please describe.

I work in environments where the issuer_url string does not match the issue value in the well-known configuration file. The example below shows how the WebURL uses the fqdn but the issuer configured at the time uses the hostname. Currently, oidcauthextension requires both values to match in order to work. I am requesting that the dependency for both values to match be removed.

WebURL: https://myidentity.domain.com

"issuer": "myidentity",
"jwks_uri": "https://myidentity.domain.com/api/jwks",
"token_endpoint": "https://myidentity.domain.com/api/OAuth/Token",
"grant_types_supported": [
"client_credentials"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
]

Describe the solution you'd like

Add an exception to ignore whether or not Issuer and issue_url match.

An example would be:

ignore_issuer_match: true

Describe alternatives you've considered

As shown in the Additional Context field, allow verification to be based on fqdn or hostname, remove the protocol (https://) from the verification.

Additional context

Error: failed to start extensions: failed to get configuration from the auth server: oidc: issuer did not match the issuer returned by provider, expected "https://MySecurity" got "MySecurity"

[github-actions]

Pinging code owners:

• extension/oidcauth: @jpkrohling

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[jpkrohling]

Duplicate of #36568.

[hwrdthdck]

I disagree that this is duplicative. Issue 36568 does not address my issue where the issuer_url does not match the issue value in the well-known config file. I am requesting a way to ignore the alignment of Issuer_url with Issuer. Reference the line 13 of config.go where IssuerURL is set to the base URL for the oidc provider. The linked solution ignores the audience, I'm asking that check to verify issuer and issuer_url match be ignored I believe this should be reopened Darryl

…

On Sat, Feb 8, 2025 at 12:04 PM Juraci Paixão Kröhling < ***@***.***> wrote: Duplicate of #36568 <#36568> . — Reply to this email directly, view it on GitHub <#37780 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACZOKB5VMZIRV3WXVNH64KT2OY2IVAVCNFSM6AAAAABWWPHPVOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBVHA2DMMJRGY> . You are receiving this because you authored the thread.Message ID: <open-telemetry/opentelemetry-collector-contrib/issues/37780/2645846116@ github.com>

[hwrdthdck]

Component

Duplicate of #36568.

#37780 is not asking for the same exception as #36568; I am asking that the check to verify issuer and issuer_url match have an option to be ignored.