frontends/openid_connect: support issuer override via provider

bajnokk · bajnokk · commit b4b8df86a9e9 · 2023-03-17T21:56:51.000+01:00
Even though the OIDC provider configuration has an element for setting
the issuer, for some reason it was rewritten to BASE unconditionally,
but this has broken provider endpoint discovery when multiple OIDC
frontends were in use.
diff --git a/example/plugins/frontends/openid_connect_frontend.yaml.example b/example/plugins/frontends/openid_connect_frontend.yaml.example
@@ -33,6 +33,11 @@ config:
   sub_hash_salt: randomSALTvalue
 
   provider:
+    # If you do not specify the issuer here, then BASE will be used as Issuer.
+    # Note that even though this setting must be specified as a full URL,
+    # provider discovery will only work, if the request can be routed back to
+    # SATOSA.
+    issuer: https://op.example.com/satosa/OIDC
     client_registration_supported: Yes
     response_types_supported: ["code", "id_token token"]
     subject_types_supported: ["pairwise"]
diff --git a/src/satosa/frontends/openid_connect.py b/src/satosa/frontends/openid_connect.py
@@ -62,7 +62,8 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
 
         self.config = conf
         provider_config = self.config["provider"]
-        provider_config["issuer"] = base_url
+        if not provider_config.get("issuer"):
+            provider_config["issuer"] = base_url
 
         self.signing_key = RSAKey(
             key=rsa_load(self.config["signing_key_path"]),
diff --git a/tests/satosa/frontends/test_openid_connect.py b/tests/satosa/frontends/test_openid_connect.py
@@ -44,6 +44,7 @@
 EXTRA_SCOPES = {
     "eduperson": ["eduperson_scoped_affiliation", "eduperson_principal_name"]
 }
+ISSUER = "https://other-op.example.com/satosa/other-op"
 
 class TestOpenIDConnectFrontend(object):
     @pytest.fixture
@@ -394,6 +395,16 @@ def test_register_endpoints_handles_path_in_issuer(self, frontend_config, issuer
             frontend.userinfo_endpoint,
         ) in urls
 
+    def test_discovery_endpoint_honours_issuer_override(self, frontend_config):
+        frontend_config["provider"]["issuer"] = ISSUER
+        frontend = self.create_frontend(frontend_config)
+        discovery_path = urlparse(ISSUER).path[1:]
+        urls = frontend.register_endpoints(["test"])
+        assert (
+            "^{}/{}$".format(discovery_path, ".well-known/openid-configuration"),
+            frontend.provider_config,
+        ) in urls
+
     def test_register_endpoints_token_and_userinfo_endpoint_is_not_published_if_only_implicit_flow(
             self, frontend_config, context):
         frontend_config["provider"]["response_types_supported"] = ["id_token", "id_token token"]
