Bug: issuer validation breaking integration for Authentik OIDC

[JeroenoBoy]

It seems like the issuer validation breaks with Authentik OIDC. When the provided issuer url is https://auth.example.com/application/o/exampleApplication, the following error gets thrown:

oidc: issuer did not match the issuer returned by provider, expected "https://auth.example.com/application/o/exampleApplication" got "https://auth.example.com/application/o/exampleApplication/"

Basically, Authentik adds a / when requesting the .well-known/openid-configuration which causes this error and makes me unable to add OIDC to one of the applications I use

Ofcourse, its completely possible to enable "skipIssuerValidation". But I think the validation is a nice extra to have.

[ericchiang]

It sounds like the error message is describing the solution? Can you use the URL with the trailing slash when calling NewProvider?

[JeroenoBoy]

I tried that but it did not work, it kept resetting it back to https://auth.example.com/application/o/exampleApplication (I'm not sure if its an issue with go-oidc or the application that I use)

[ericchiang]

go-oidc doesn't modify the URL you provide it. It sounds like this may be somewhere else in the stack then?

Closing out since it's probably not this library.

If you can provide a standalone example that shows go-oidc doing something funky, feel free to reopen. But the spec is very clear that issuer URLs must exactly match. There's no provision for removing trailing characters during the comparison.

[JeroenoBoy]

Thanks for helping! I will look further then