DrDaveD
commented
3 years ago I updated the commit message and added a Fix to use OptionError when NewProvider fails to work on the discovery_url option.
Closed DrDaveD closed 3 years ago
DrDaveD
commented
3 years ago I updated the commit message and added a Fix to use OptionError when NewProvider fails to work on the discovery_url option.
impl
commented
3 years ago One other thought I had after I stepped away from this for a second... would it make sense for the auth_code_url and token_url to override what comes back from discovery if you specify both, rather than being mutually exclusive? I'm not super familiar with OIDC Discovery so if that doesn't make any sense I'll be happy to get this in as-is. :) Thanks!
DrDaveD
commented
3 years ago No I don't think it makes a lot of sense to specify one or both of auth_code_url and token_url if discovery_url was specified. I think people would only do that by mistake. There is some overhead to use discovery_url, an extra round-trip, so I think if people want to specify the specific urls they shouldn't specify the discovery_url.
impl
commented
3 years ago Makes sense!
I made a mistake on specifying a specific token_url and it was hard to track down. A discovery_url is harder to mess up if the token issuer supports the .well-known/openid-configuration. The discovery url is also the type of url used by vault-plugin-auth-jwt so it works better for those of us who are using both plugins.