Modifying the issuer claim
-
When inspecting the discovery info of a FusionAuth server, we find the value of
issuerdoes not match the domain name of your authorization server. The issuer you are sending isexample.com.We expect the
issuerclaim to match the domain of your discovery URL. In other words, the value for issuer we are expecting ishttps://login.example.com. This is based on the spec found here:https://openid.net/specs/openid-connect-discovery-1_0.html
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer
-
It sounds like you're asking if you can modify the issuer claim.
You can control the "Issuer", or
issclaim, in two different ways:- You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be
login.example.com. - You can set it at the individual JWT level by modifying the JWT populate lambda. You would do this if you wanted to have a different issuer based on some information from the user or registration data. (This does not appear to be the case here, just including this for completeness.)
I'm not clear if you have more than one tenant in your system; if you do, you can either change the "Issuer" setting for the default tenant (which is what is provided when no
tenantIdis on the URL) or request the endpoint with atenantIdappended, like this:https://login.example.com/.well-known/openid-configuration?tenantId=<tenantid> - You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be