Angular-oauth2-oidc: Every url in discovery document has to start with the issuer url - but why?

Created on 5 Sep 2018 · 4Comments · Source: manfredsteyer/angular-oauth2-oidc

When using strictDiscoveryDocumentValidation (the default), all urls in the discovery document must start with the issuer url, but this does not seem to be a part of any OAuth, or OpenID specification that I can find. Why is this a requirement? It is incompatible wth eg. Googles OpenID configuration: https://accounts.google.com/.well-known/openid-configuration.

Source

rbkrabbe

Most helpful comment

Based on what I know about the library, and digging through the commits that introduced that option, I would say that it's a little overzealous and you can safely set the strictDiscoveryDocumentValidation option to false for Google OpenID and WSO2-IS, and move on.

Assuming I'm right, we could leave this GH issue open as a request to add this note (that it can be safely set to false for some IDServers) to the property's documentation. But that's probably something only the original author / maintainer can answer for us.

jeroenheijmans on 12 Sep 2018

👍5

All 4 comments

It's also incompatible with WSO2-IS.

jaco-terbraak on 12 Sep 2018

jeroenheijmans on 12 Sep 2018

👍5

Yes, you are right. You can deactivate it and it isn't demanded by the specs. It's more or less a best practice as it prevents a specific attack where someone manages to fake a discovery document.

manfredsteyer on 18 Sep 2018

The discovery document for PingOne relying parties also fails the validation check, and as such requires setting strictDiscoveryDocumentValidation = false;

I'm opening a PR to reflect this configuration in the "Getting Started" section, as it seems relevant enough to multiple ID Providers and it took a little bit of digging to find