Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trailing slash leads to IssuerUrlsDontMatch #2352

Open
timokoesters opened this issue Feb 12, 2024 · 2 comments
Open

Trailing slash leads to IssuerUrlsDontMatch #2352

timokoesters opened this issue Feb 12, 2024 · 2 comments
Labels
A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Defect Something isn't working

Comments

@timokoesters
Copy link

Example:
The expected issuer is https://example.com, but the well-known/openid-configuration reports https://example.com/ with a trailing slash.
Currently, this leads to the Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch) because of this exact string match:

matrix-authentication-service/crates/oauth2-types/src/oidc.rs

Lines 504 to 506 in 3d90d08

if metadata.issuer() != issuer {
return Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch);
}

Should the comparison ignore trailing slashes or is this a misconfiguration by the user?
@timokoesters timokoesters mentioned this issue Feb 12, 2024
Open
@sandhose
Copy link
Member

This is a misconfiguration by the user IMO. We're intentionally being strict as the various specs (1, 2) want you to do strict simple string matches for the issuer.
I think it should be MAS and Synapse which need to make sure the configuration is right instead of making the client less strict about this.
It doesn't help though that the apps give a cryptic error in those cases :(

I've just gone one step towards making those errors less common by including a check in the mas-cli doctor tool, with guidance to help resolve the configuration issue.
The other thing we should do is make Synapse discover the right "issuer" value instead of just outputting it as-is in the well-known

@poljar
Copy link

poljar commented Feb 13, 2024
edited

This is a misconfiguration by the user IMO. We're intentionally being strict as the various specs (1, 2) want you to do strict simple string matches for the issuer.

As far as I understand, they want you to do simple string matching of the URL after the URL has been normalized:

This comparison MUST use simple string comparison as defined in Section 6.2.1 of [RFC3986].

Then if we look at Section 6.2.1:

False negatives are caused by the production and use of URI aliases.
Unnecessary aliases can be reduced, regardless of the comparison
method, by consistently providing URI references in an already-
normalized form (i.e., a form identical to what would be produced
after normalization is applied, as described below).

Finally we look at the ways a URI can be normalized in section 6.2.3:

In general, a URI that uses the generic syntax for authority with an
empty path should be normalized to a path of "/".

It even lists that these two are equivalent:

@sandhose sandhose added T-Defect Something isn't working A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers labels Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Defect Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@poljar @sandhose @timokoesters