You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Example:
The expected issuer is https://example.com, but the well-known/openid-configuration reports https://example.com/ with a trailing slash.
Currently, this leads to the Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch) because of this exact string match:
This is a misconfiguration by the user IMO. We're intentionally being strict as the various specs (1, 2) want you to do strict simple string matches for the issuer.
I think it should be MAS and Synapse which need to make sure the configuration is right instead of making the client less strict about this.
It doesn't help though that the apps give a cryptic error in those cases :(
I've just gone one step towards making those errors less common by including a check in the mas-cli doctor tool, with guidance to help resolve the configuration issue.
The other thing we should do is make Synapse discover the right "issuer" value instead of just outputting it as-is in the well-known
This is a misconfiguration by the user IMO. We're intentionally being strict as the various specs (1, 2) want you to do strict simple string matches for the issuer.
As far as I understand, they want you to do simple string matching of the URL after the URL has been normalized:
This comparison MUST use simple string comparison as defined in Section 6.2.1 of [RFC3986].
False negatives are caused by the production and use of URI aliases.
Unnecessary aliases can be reduced, regardless of the comparison
method, by consistently providing URI references in an already-
normalized form (i.e., a form identical to what would be produced
after normalization is applied, as described below).
Finally we look at the ways a URI can be normalized in section 6.2.3:
In general, a URI that uses the generic syntax for authority with an
empty path should be normalized to a path of "/".
Example:
The expected issuer is
https://example.com
, but the well-known/openid-configuration reportshttps://example.com/
with a trailing slash.Currently, this leads to the Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch) because of this exact string match:
matrix-authentication-service/crates/oauth2-types/src/oidc.rs
Lines 504 to 506 in 3d90d08
Should the comparison ignore trailing slashes or is this a misconfiguration by the user?
The text was updated successfully, but these errors were encountered: