treo
commented
2 years ago Is there a simple work around for this that I am missing? Or didn't really anyone else run into this for 3 years?
Right now, if you deploy this on a regular port, i.e. 443 for https, it will drop the port in one part but still use it in another, which in turn results in a verification failure:
[11/19/21, 11:39:27:273 UTC] 0000004b .ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil E CWWKS1706E: The OpenID Connect client [1] failed to validate the ID token due to [CWWKS1751E: Validation failed for the ID token requested by [1] because the (iss) issuer [https://hostname:443/oidc/endpoint/OP] specified in the token does not match the [issuerIdentifier] attribute [https://hostname/oidc/endpoint/OP] for the provider specified in the OpenID Connect client configuration. Check the issuerIdentifier attribute on the client configuration.].
Edit:
After some more search I did find the "simple workaround":
You need to specify the issuerIdentifier on your openidConnectProvider so it looks something like the following.
<openidConnectProvider id="OP"
issuerIdentifier="https://hostname:443/oidc/endpoint/OP"
>
</openidConnectProvider>
The current oauth/oidc code is creating tokens with an issuerIdentifier such as:
https://<host>.com:<port>/oidc/endpoint/OidcConfigSamplewhile the discovery code is creating an issuerIdentifier of:https://<host>.com/oidc/endpoint/OidcConfigSampleWhen we validate the token, that will obviously fail as the values are NOT the same. We should be building the token as is appropriate for the env that we're running in - in my case within OKD, my route does not include the port.