Wrong issuer: accounts.google.com

[cgawron]

For Google, the issuer check fails in processIdTokken. The discovery document of google (https://accounts.google.com/.well-known/openid-configuration) states

"issuer": "https://accounts.google.com"

while the token contains

"iss": "accounts.google.com"

This might be a bug on Google's side (or maybe the spec is not clear whether the issuer refers only to the host part of the URL), but it would help if the library could cope with it.

BTW, I also tried specifying the issuer as accounts.google.comin the config, but then I can't even load the discovery document.

How are other user dealing with this issue?

[jeroenheijmans]

It seems that OAuth2 (RFC7519) allows a StringOrUri so with or without schema is both up to spec? However, OpenId (Connect Core 1.0) does say that:

[The Issuer Identifier obtained during discovery] MUST exactly match the value of the iss (issuer) Claim.

So Google is being a pain here, by providing different values during discovery and inside the token. It was noted in other projects too that this occurs, the conclusion there seems similar: a workaround is needed.

I saw you already created a PR for this, #524 (that was probably intending to reference this issue in the "fixes" message?), I'll comment there on the proposed solution.

Careful by the way that there may be more trouble ahead for you with Google's auth, I remember #364 that shows some issues with the origin of the iframe parent.

[jeroenheijmans]

I think as per this comment things got fixed in the latest version. Let us know if the issue persists and we could reopen this issue!