Issuer URL is not same as Issuer URL in metadata

Question

Issuer URL is not same as Issuer URL in metadata

Closed this issue 2 years ago · 3 comments

At our company the OIDC is setup with metadata URL as https://<<OIDC_SERVER_URL>>/mga/sps/oauth/oauth20/metadata/MYOIDC and the issuer that I get in metadata is "issuer":"https://<<OIDC_SERVER_URL>>", so they dont match.

Nimbus Code in OIDCProviderMetadata fails at the following line...

if (! issuer.equals(op.getIssuer())) {
throw new GeneralException("The returned issuer doesn't match the expected: " + op.getIssuer());
}

any idea how we handle this?

Answer 1 · 2022-08-24T22:12:03.000Z

Nimbus SDK is checking for OIDC spec compliance as explained here. So you have to check with your IdP vendor to fix this issue.

Just curious: Which IdP are you using?

Answer 2 · 2023-06-06T13:07:08.000Z

For information, I've got the same issue with my idP being ISAM. Also, I found that the metadata JSON from ISAM does not contain the key subject_types_supported. This causes an error within nimbusds being the following :
Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key subject_types_supported
So sonar-auth-oidc is not compatible with ISAM idP...

Answer 3 · 2023-09-05T21:58:49.000Z

So sonar-auth-oidc is not compatible with ISAM idP...

Regarding the OpenID Connect Discovery 1.0 spec the provider metadata key subject_types_supported is required. Without this key your identity provider is not compliant to this spec...