auth: add required issuer to OAuth (home-assistant#152385)

Author: ptu14

homeassistant/components/auth/login_flow.py

@@ -136,17 +136,22 @@ async def get(self, request: web.Request) -> web.Response:
             url_prefix = get_url(hass, require_current_request=True)
         except NoURLAvailableError:
             url_prefix = ""
-        return self.json(
-            {
-                "authorization_endpoint": f"{url_prefix}/auth/authorize",
-                "token_endpoint": f"{url_prefix}/auth/token",
-                "revocation_endpoint": f"{url_prefix}/auth/revoke",
-                "response_types_supported": ["code"],
-                "service_documentation": (
-                    "https://developers.home-assistant.io/docs/auth_api"
-                ),
-            }
-        )
+
+        metadata = {
+            "authorization_endpoint": f"{url_prefix}/auth/authorize",
+            "token_endpoint": f"{url_prefix}/auth/token",
+            "revocation_endpoint": f"{url_prefix}/auth/revoke",
+            "response_types_supported": ["code"],
+            "service_documentation": (
+                "https://developers.home-assistant.io/docs/auth_api"
+            ),
+        }
+
+        # Add issuer only when we have a valid base URL (RFC 8414 compliance)
+        if url_prefix:
+            metadata["issuer"] = url_prefix
+
+        return self.json(metadata)
 
 
 class AuthProvidersView(HomeAssistantView):

tests/components/auth/test_login_flow.py

@@ -374,7 +374,7 @@ async def test_login_exist_user_ip_changes(
 
 @pytest.mark.usefixtures("current_request_with_host")  # Has example.com host
 @pytest.mark.parametrize(
-    ("config", "expected_url_prefix"),
+    ("config", "expected_url_prefix", "extra_response_data"),
     [
         (
             {
@@ -383,6 +383,7 @@ async def test_login_exist_user_ip_changes(
                 "external_url": "https://example.com",
             },
             "https://example.com",
+            {"issuer": "https://example.com"},
         ),
         (
             {
@@ -391,6 +392,7 @@ async def test_login_exist_user_ip_changes(
                 "external_url": "https://other.com",
             },
             "https://example.com",
+            {"issuer": "https://example.com"},
         ),
         (
             {
@@ -399,6 +401,7 @@ async def test_login_exist_user_ip_changes(
                 "external_url": "https://again.com",
             },
             "",
+            {},
         ),
     ],
     ids=["external_url", "internal_url", "no_match"],
@@ -408,6 +411,7 @@ async def test_well_known_auth_info(
     aiohttp_client: ClientSessionGenerator,
     config: dict[str, str],
     expected_url_prefix: str,
+    extra_response_data: dict[str, str],
 ) -> None:
     """Test the well-known OAuth authorization server endpoint with different URL configurations."""
     await async_process_ha_core_config(hass, config)
@@ -417,6 +421,7 @@ async def test_well_known_auth_info(
     )
     assert resp.status == 200
     assert await resp.json() == {
+        **extra_response_data,
         "authorization_endpoint": f"{expected_url_prefix}/auth/authorize",
         "token_endpoint": f"{expected_url_prefix}/auth/token",
         "revocation_endpoint": f"{expected_url_prefix}/auth/revoke",