Make the JWT issuer configurable in the OIDC Discovery Provider

[jer8me]

The issuer returned by the OIDC Discovery Provider is currently dynamically built based on the request host: https://github.com/spiffe/spire/blob/v1.10.3/support/oidc-discovery-provider/handler.go#L66

There are a couple of issues with this approach:

1. Only host-based issuers are supported. We cannot use a path component to support multiple issuers per host. For instance:

   • https://example.com is a supported Issuer
   • https://example.com/issuer1 is not a supported Issuer We want to be able to specify a path component for our issuer, as per the OIDC specs: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

2. If the OIDC Discovery Provider service is reachable via more than one host, it will return a different issuer based on the host used for the request. This does not really make sense from an OIDC point of view because a SPIRE server is configured with exactly one jwt_issuer. The issuer returned by the OIDC Discovery Provider should match the one configured in the server.

[azdagron]

The issuer returned by the OIDC Discovery Provider should match the one configured in the server.

This is the biggest sticking point for me on why this should be configurable.

We'd accept a change here.

[aluthra-37]

I talked to @jer8me about this issue. We were thinking that we could add an optional configuration item in the OIDC provider to set the jwt_issuer. If missing, we would keep the existing behavior but if set, we could use it as the jwt_issuer, bypassing the dynamic logic. If this sounds good, could you please assign this issue to me

[azdagron]

Sounds great. Thanks @aluthra-37 .

[kfox1111]

@aluthra-37, I have a need to resolve this too. Do you have time to work on this soon? If not, would you mind if I write up a pr for it?

[aluthra-37]

Hey @kfox1111. I'm currently working on a PR for this. I should have one out soon