openid_connect_frontend.yaml.example: leverage <base_url> template

Setting an alternative issuer should not be an encouraged setup,
although provider discovery should work either way. The recommended
setting is to use the BASE as the issuer, and we can leverage the
agressive configuration value replacement logic, which rewrites all
occurences of <base_url> to the value of BASE. The unit test was
modified to guarantee this behaviour, though.

Author: bajnokk

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -33,11 +33,7 @@ config:
   sub_hash_salt: randomSALTvalue
 
   provider:
-    # If you do not specify the issuer here, then BASE will be used as Issuer.
-    # Note that even though this setting must be specified as a full URL,
-    # provider discovery will only work, if the request can be routed back to
-    # SATOSA.
-    issuer: https://op.example.com/satosa/OIDC
+    issuer: <base_url>
     client_registration_supported: Yes
     response_types_supported: ["code", "id_token token"]
     subject_types_supported: ["pairwise"]

tests/flows/test_oidc-saml.py

@@ -28,7 +28,7 @@
 CLIENT_REDIRECT_URI = "https://client.example.com/cb"
 REDIRECT_URI = "https://client.example.com/cb"
 DB_URI = "mongodb://localhost/satosa"
-EXTRA_ISSUER = "https://other-op.example.com/satosa/other/op"
+EXTRA_ISSUER = "<base_url>/other/op"
 
 @pytest.fixture(scope="session")
 def client_db_path(tmpdir_factory):
@@ -117,7 +117,7 @@ def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_
         test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response)
 
         # get frontend OP config info
-        issuer = EXTRA_ISSUER
+        issuer = EXTRA_ISSUER.replace("<base_url>", satosa_config_dict["BASE"])
         provider_config = self._discover_provider(test_client, issuer)
 
         # create auth req