• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Tenant Issuer configuration might not follow the OIDC specification

Scheduled Pinned Locked Moved
Comments & Feedback
4
5
2.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    cthos
    last edited by 28 Jan 2025, 23:17

    I'm not sure if this qualifies as a bug or a documentation issue (or neither), but there's a potential problem with the advice when setting up a tenant.

    Under the tenant settings, you set the token issuer - and it advises you to use the FQDN of your domain. The example given is "fusionauth.io". This issuer winds up in the OIDC Autodiscovery config and I believe the "iss" field of the ID Token. So, if you set it to "fusionauth.io" you'll wind up with this:

    {
  ...
  "issuer" : "fusionauth.io",
  
}

    Issuer, according to the spec (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata), must include the scheme:

    REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

    So, that breaks some OIDC Clients rhat strictly adhere to the spec (I tried it with npm's openid-client but there are likely others).

    The spec for the "iss" stanza of ID tokens also needs the scheme: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

    Related point, if you use the Tenant's autodiscovery URL, e.g. https://fusionauth.io/{tentant_id}/.well-known/openid-configuration, OIDC clients will generally expect the issuer to include the {tenant_id} as well and try to validate against that. Here's an example from an Okta dev tenant: https://dev-06212286.okta.com/oauth2/ausmf0ocf2mJ2g4Yq5d7/.well-known/openid-configuration

    The docs (https://fusionauth.io/docs/get-started/core-concepts/tenants) don't mention any of this - just says FQDN (which does not include a scheme), so while you can configure your Tenant appropriately it's fairly easy to misconfigure it. Might be worth mentioning this somewhere or validating that the issuer (if possible) contains the scheme.

    I don't actually know if that was present in earlier drafts of the OIDC spec.

    M C 2 Replies Last reply 3 Feb 2025, 21:08 Reply Quote 1
    • M
      mark.robustelli @cthos
      last edited by mark.robustelli 3 Feb 2025, 21:08

      @cthos Thanks for the feedback. Since it does appear that you can configure as required, I'm not sure this constitutes a bug. However if it is confusing to you it is likely to others as well. It may be worth opening an issue for the dev team to take a look at.

      1 Reply Last reply Reply Quote 0
      • C
        cabaral109 @cthos
        last edited by 20 Feb 2025, 02:38

        @cthos

        @cthos said in Tenant Issuer configuration might not follow the OIDC specification:

        I'm not sure if this qualifies as a bug or a documentation issue (or neither), but there's a potential problem with the advice when setting up a tenant.

        Under the tenant settings, you set the token issuer - and it advises you to use the FQDN of your domain. The example given is "fusionauth.io". This issuer winds up in the OIDC Autodiscovery config and I believe the "iss" field of the ID Token. So, if you set it to "fusionauth.io" you'll wind up with this:

        {
  ...
  "issuer" : "fusionauth.io",
  
}

        Issuer, according to the spec (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata fnaf)

        , must include the scheme:

        REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

        So, that breaks some OIDC Clients rhat strictly adhere to the spec (I tried it with npm's openid-client but there are likely others).

        The spec for the "iss" stanza of ID tokens also needs the scheme: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

        The current documentation mentions FQDN (Fully Qualified Domain Name) without explicitly stating the need for a scheme. This could lead to misconfigurations if users are unaware that the issuer should include the scheme. It would be beneficial to update the documentation to clarify that the issuer must include both the scheme and the tenant ID. This could help prevent common setup issues.

        M 1 Reply Last reply 14 Mar 2025, 08:32 Reply Quote 0
        • M
          maciej.wisniowski Power User @cabaral109
          last edited by 14 Mar 2025, 08:32

          @cabaral109 @mark-robustelli after spending few hours debugging issue with openid-client I found this topic and lack of the protocol part in the issuer field to be a reason. I've just submitted the issue at: https://github.com/FusionAuth/fusionauth-issues/issues/3021

          M 1 Reply Last reply 17 Mar 2025, 13:42 Reply Quote 1
          • M
            mark.robustelli @maciej.wisniowski
            last edited by 17 Mar 2025, 13:42

            @maciej-wisniowski Looks like you are getting some traction on the issue. Thanks for taking the time to work through this and submit the issue to make FusionAuth better.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post