lua-resty-openidc requires issuer to be == to the discovery URL domain

[gdestuynder]

I believe that is incorrect (https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier) ("correct me if im wrong! :)")

For ex you could have an issuer of example.com and a discovery URL of https://example2.com/.well-known/openid-configuration

Auth0.com does this with custom auth domains, so I suspect anyone using that feature of auth0 with this library will eventually get this issue.

Error looks like:

openidc.lua:495: openidc_discover(): issuer field in Discovery data does not match URL, client: 13.37.13.37, server: social-ldap-pwless.testrp.security.allizom.org, request: "GET / HTTP/1.1", host: "social-ldap-pwless.testrp.security.allizom.org"

The lib check is at:

lua-resty-openidc/lib/resty/openidc.lua

Lines 529 to 532 in 34fdf6e

	if string.sub(url, 1, string.len(json['issuer'])) == json['issuer'] then
	openidc_cache_set("discovery", url, cjson.encode(json), exptime or 24 * 60 * 60)
	else
	err = "issuer field in Discovery data does not match URL"

@bodewig do you know more about this? I'm happy to send a PR that removes the check otherwise

[zandbelt]

The check is according to https://openid.net/specs/openid-connect-discovery-1_0.html#Impersonation but since lua-resty-openidc doesn't actually discover the metadata document but uses a fixed URI, I guess it is OK to relax this check.

[bodewig]

I agree. Most likely we'll need yet another option unless we want to remove the check completely.

[zandbelt]

Since we explicitly point the code to a Discovery document that is served from a TLS protected endpoint, there's no mapping between an identifier and the document that can be tampered with and I'm OK to comment out the check.

[bodewig]

OK, I've removed the check.