fix(custom-oidc): strip trailing slashes from issuer (#2570)

cemalkilic · web-flow · commit 169ad67533cc · 2026-06-08T16:19:41.000+02:00
## What kind of change does this PR introduce? Bug fix ## summary Fixes `GetDiscoveryURL` constructing a malformed URL (e.g. `https://example.com//.well-known/openid-configuration`) when the configured OIDC issuer has a trailing slash.
diff --git a/internal/models/custom_oauth_provider.go b/internal/models/custom_oauth_provider.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"database/sql/driver"
 	"encoding/json"
+	"strings"
 	"time"
 
 	"github.com/gobuffalo/pop/v6/slices"
@@ -134,7 +135,7 @@ func (p *CustomOAuthProvider) GetDiscoveryURL() string {
 		return *p.DiscoveryURL
 	}
 
-	return *p.Issuer + "/.well-known/openid-configuration"
+	return strings.TrimRight(*p.Issuer, "/") + "/.well-known/openid-configuration"
 }
 
 // SetDiscoveryCache stores a validated OIDC discovery document and records the cache time.
diff --git a/internal/models/custom_oauth_provider_test.go b/internal/models/custom_oauth_provider_test.go
@@ -451,6 +451,41 @@ func (ts *CustomOAuthProviderTestSuite) TestClientSecretRoundTripThroughDB() {
 	assert.Equal(ts.T(), secret, decrypted)
 }
 
+func TestGetDiscoveryURLStripsTrailingSlashes(t *testing.T) {
+	tests := []struct {
+		name     string
+		issuer   string
+		expected string
+	}{
+		{
+			name:     "no trailing slash",
+			issuer:   "https://example.com",
+			expected: "https://example.com/.well-known/openid-configuration",
+		},
+		{
+			name:     "single trailing slash",
+			issuer:   "https://example.com/",
+			expected: "https://example.com/.well-known/openid-configuration",
+		},
+		{
+			name:     "multiple trailing slashes",
+			issuer:   "https://example.com///",
+			expected: "https://example.com/.well-known/openid-configuration",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			issuer := tt.issuer
+			provider := &CustomOAuthProvider{
+				ProviderType: ProviderTypeOIDC,
+				Issuer:       &issuer,
+			}
+			assert.Equal(t, tt.expected, provider.GetDiscoveryURL())
+		})
+	}
+}
+
 // Helper functions
 
 func (ts *CustomOAuthProviderTestSuite) createTestProvider(providerType ProviderType, identifier string) *CustomOAuthProvider {

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"database/sql"`
`5`	`5`	`"database/sql/driver"`
`6`	`6`	`"encoding/json"`
	`7`	`+ "strings"`
`7`	`8`	`"time"`
`8`	`9`
`9`	`10`	`"github.com/gobuffalo/pop/v6/slices"`
`@@ -134,7 +135,7 @@ func (p *CustomOAuthProvider) GetDiscoveryURL() string {`
`134`	`135`	`return *p.DiscoveryURL`
`135`	`136`	`}`
`136`	`137`
`137`		`- return *p.Issuer + "/.well-known/openid-configuration"`
	`138`	`+ return strings.TrimRight(*p.Issuer, "/") + "/.well-known/openid-configuration"`
`138`	`139`	`}`
`139`	`140`
`140`	`141`	`// SetDiscoveryCache stores a validated OIDC discovery document and records the cache time.`