Hello ! Good afternoon, I have a question about the OpenID Connect plugin
I’m trying to use ID Uruguay (A government OpenID Connect “provider”) with Discourse, I signed up for the test server and they sent me the necessary data.
All the flow seems to work fine except for the callback, apparently the Issuer sent in the JWT is not the same as in the discovery document.
I already contacted Support and they said that basically the error was from Discourse (Which I don’t think so).
Is it possible to somehow add another value to “excepted issuer”?
From the location of the discovery document, you need to assume that the issuer is https://auth-testing.iduruguay.gub.uy/oidc/v1 since the discovery document is the issuer with /.well-known/openid-configuration appended to it.
Now the document itself says issuer "https://auth-testing.iduruguay.gub.uy"
And the two requirements in the last sentence are not met. The iss claim value is identical to the Issuer URL that was used to retrieve the configuration, but both are NOT identical to the issuer value returned.
So for what it is worth, I think they are wrong and you are right. Too bad that does not get you anywhere.
I reported this and linked to your answer, I’ll wait for a response from ID Uruguay support .
Right now I am using a pastebin with the correct issuer (Anyway, it was for testing) and everything seems to work correctly, I hope that the support team can solve this detail before applying to ID Uruguay in Production mode