fix(api): default OIDC discovery issuer to API_EXTERNAL_URL

The /.well-known/openid-configuration handler used config.JWT.Issuer
unconditionally, returning an empty issuer and relative endpoint URLs
for self-hosted operators who configure API_EXTERNAL_URL but leave
GOTRUE_JWT_ISSUER unset. That violates OpenID Connect Discovery 1.0
section 4.2 (issuer MUST be present) and RFC 8414 section 3 (endpoint
URLs MUST be absolute).

Default issuer to config.API.ExternalURL when JWT.Issuer is empty;
API.ExternalURL is required:"true" in the config struct so it is
always populated. Also use the trailing-slash-stripped local variable
when returning the Issuer field so it matches how endpoint URLs are
constructed.

Adds in-process tests asserting that issuer and endpoint URLs are
absolute when JWT.Issuer is empty, and that a trailing slash on a
configured JWT.Issuer is stripped consistently from the issuer field.

Fixes #2487

Signed-off-by: Manas Srivastava <mastermanas805@gmail.com>

Author: mastermanas805

internal/api/jwks.go

@@ -66,14 +66,17 @@ type OpenIDConfigurationResponse struct {
 func (a *API) WellKnownOpenID(w http.ResponseWriter, r *http.Request) error {
 	config := a.config
 	issuer := config.JWT.Issuer
+	if issuer == "" {
+		issuer = config.API.ExternalURL
+	}
 
 	// Ensure issuer doesn't end with a slash to avoid double slashes in URLs
 	for len(issuer) > 0 && issuer[len(issuer)-1] == '/' {
 		issuer = issuer[:len(issuer)-1]
 	}
 
 	response := OpenIDConfigurationResponse{
-		Issuer:                config.JWT.Issuer,
+		Issuer:                issuer,
 		AuthorizationEndpoint: issuer + "/oauth/authorize",
 		TokenEndpoint:         issuer + "/oauth/token",
 		JWKSURL:               issuer + "/.well-known/jwks.json",

internal/api/jwks_test.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/lestrrat-go/jwx/v2/jwk"
@@ -77,3 +78,47 @@ func TestJwks(t *testing.T) {
 		})
 	}
 }
+
+func TestWellKnownOpenIDIssuerFallbackToExternalURL(t *testing.T) {
+	mockAPI, _, err := setupAPIForTest()
+	require.NoError(t, err)
+
+	mockAPI.config.JWT.Issuer = ""
+	mockAPI.config.API.ExternalURL = "https://auth.example.com"
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/openid-configuration", nil)
+	w := httptest.NewRecorder()
+	mockAPI.handler.ServeHTTP(w, req)
+	require.Equal(t, http.StatusOK, w.Code)
+
+	var resp OpenIDConfigurationResponse
+	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))
+
+	require.Equal(t, "https://auth.example.com", resp.Issuer)
+	require.True(t, strings.HasPrefix(resp.AuthorizationEndpoint, "https://auth.example.com/"), "authorization_endpoint should be absolute, got %q", resp.AuthorizationEndpoint)
+	require.True(t, strings.HasPrefix(resp.TokenEndpoint, "https://auth.example.com/"), "token_endpoint should be absolute, got %q", resp.TokenEndpoint)
+	require.True(t, strings.HasPrefix(resp.JWKSURL, "https://auth.example.com/"), "jwks_uri should be absolute, got %q", resp.JWKSURL)
+	require.True(t, strings.HasPrefix(resp.UserInfoEndpoint, "https://auth.example.com/"), "userinfo_endpoint should be absolute, got %q", resp.UserInfoEndpoint)
+}
+
+func TestWellKnownOpenIDIssuerStripsTrailingSlash(t *testing.T) {
+	mockAPI, _, err := setupAPIForTest()
+	require.NoError(t, err)
+
+	mockAPI.config.JWT.Issuer = "https://auth.example.com/"
+	mockAPI.config.API.ExternalURL = "https://something-else.example.com"
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/openid-configuration", nil)
+	w := httptest.NewRecorder()
+	mockAPI.handler.ServeHTTP(w, req)
+	require.Equal(t, http.StatusOK, w.Code)
+
+	var resp OpenIDConfigurationResponse
+	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))
+
+	require.Equal(t, "https://auth.example.com", resp.Issuer)
+	require.Equal(t, "https://auth.example.com/oauth/authorize", resp.AuthorizationEndpoint)
+	require.Equal(t, "https://auth.example.com/oauth/token", resp.TokenEndpoint)
+	require.Equal(t, "https://auth.example.com/.well-known/jwks.json", resp.JWKSURL)
+	require.Equal(t, "https://auth.example.com/oauth/userinfo", resp.UserInfoEndpoint)
+}