Closed DrDaveD closed 3 years ago
I updated the commit message and added a Fix to use OptionError when NewProvider fails to work on the discovery_url option.
One other thought I had after I stepped away from this for a second... would it make sense for the auth_code_url
and token_url
to override what comes back from discovery if you specify both, rather than being mutually exclusive? I'm not super familiar with OIDC Discovery so if that doesn't make any sense I'll be happy to get this in as-is. :) Thanks!
No I don't think it makes a lot of sense to specify one or both of auth_code_url and token_url if discovery_url was specified. I think people would only do that by mistake. There is some overhead to use discovery_url, an extra round-trip, so I think if people want to specify the specific urls they shouldn't specify the discovery_url.
Makes sense!
I made a mistake on specifying a specific token_url and it was hard to track down. A discovery_url is harder to mess up if the token issuer supports the .well-known/openid-configuration. The discovery url is also the type of url used by vault-plugin-auth-jwt so it works better for those of us who are using both plugins.