OIDC openid-configuration issuer URL change breaks existing logins

[Javex]

Description

I recently updated to 1.25.0 and noticed that using Gitea as my OIDC Identity Provider broke since the issuer URL changed. Specifically, I use my Gitea instance to log into Tailscale which now reports this:

Tailscale received the following error trying to contact your OIDC provider: auth.OIDC("https://git.mydomain/"): oidc: issuer did not match the issuer returned by provider, expected "https://git.mydomain/" got "https://git.mydomain"

Checking the source code I found that commit 3533263 (Pull Request #34966) caused a change in behaviour. Previously, the issuer was set by response.Issuer = setting.AppURL but it's now set through ctx.Data["OidcIssuer"] = jwtRegisteredClaims.Issuer

That function looks like this:

func NewJwtRegisteredClaimsFromUser(clientID string, grantUserID int64, exp *jwt.NumericDate) jwt.RegisteredClaims {
	// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
	// The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration
	// to retrieve the configuration information. This MUST also be identical to the "iss" Claim value in ID Tokens issued from this Issuer.
	// * https://accounts.google.com/.well-known/openid-configuration
	// * https://github.com/login/oauth/.well-known/openid-configuration
	return jwt.RegisteredClaims{
		Issuer:    strings.TrimSuffix(setting.AppURL, "/"),
		Audience:  []string{clientID},
		Subject:   strconv.FormatInt(grantUserID, 10),
		ExpiresAt: exp,
	}
}

It explicitly includes a TrimSuffix call that removes the trailing slash that Tailscale expects on login.

I'm not sure if this counts as a bug, but I didn't see it as a breaking change on https://blog.gitea.com/release-of-1.25.0/ so it's probably worth either removing this new logic (i.e. don't trim the trailing / from the issuer URL) or updating the announcement to clarify that some OIDC integrations might break and should first update their issuer URL.

Gitea Version

1.25.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea Helm chart on k8s, but with updated image tag to run 1.25.0

Database

None

[Javex]

I have built a custom version of Gitea to attempt a quick fix so I can get back into Tailscale:

    // jwtRegisteredClaims := oauth2_provider.NewJwtRegisteredClaimsFromUser("well-known", 0, nil)
    // ctx.Data["OidcIssuer"] = jwtRegisteredClaims.Issuer // use the consistent issuer from the JWT registered claims
    ctx.Data["OidcIssuer"] = setting.AppURL // use the consistent issuer from the JWT registered claims

However, that alone was not enough. While I got further in the steps, eventually Tailscale returned a 403, but didn't explain why, other than saying it was my SSO provider (i.e. Gitea) who reported an error, but nothing was in Gitea's logs. I'm not sure if I made a mistake or some other field was now misaligned, but I switched gears at this point:

I created a new deployment of Gitea and restored the old version from my backup into it, one that was still 1.24.6. I then deployed Gitea 1.24.7 to this copy and pointed DNS at the new deployment. This allowed me back into Tailscale.

This might help others getting back in.

[imolein]

I just noticed the same problem. I use Gitea as OIDC Identity Provider for Komodo and after upgrading Gitea Komodo reports:

Failed to reinitialize OIDC client | Failed to get OIDC /.well-known/openid-configuration: Validation error: unexpected issuer URI `https://code.example.org` (expected `https://code.example.org/`)

[wxiaoguang]

Hmm ... sorry, the old behavior is not quite right and it did break ....

So I think we can add a config option to support the legacy (incorrect) issuer?

Make OAuth2 issuer configurable #35915