Description
Component(s)
extension/oidcauth
Is your feature request related to a problem? Please describe.
I work in environments where the issuer_url string does not match the issue value in the well-known configuration file. The example below shows how the WebURL uses the fqdn but the issuer configured at the time uses the hostname. Currently, oidcauthextension requires both values to match in order to work. I am requesting that the dependency for both values to match be removed.
This IS NOT the same request as #36568
WebURL: https://myidentity.domain.com
"issuer": "myidentity",
"jwks_uri": "https://myidentity.domain.com/api/jwks",
"token_endpoint": "https://myidentity.domain.com/api/OAuth/Token",
"grant_types_supported": [
"client_credentials"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
Describe the solution you'd like
Add an exception to ignore whether or not Issuer and issue_url match.
An example would be:
ignore_issuer_match: true
Describe alternatives you've considered
As shown in the Additional Context field, allow verification to be based on fqdn or hostname, remove the protocol (https://) from the verification.
Additional context
Error: failed to start extensions: failed to get configuration from the auth server: oidc: issuer did not match the issuer returned by provider, expected "https://MySecurity" got "MySecurity"