Merge pull request #2136 from amoeller83/issue-2132

fix: config to disable strict issuer validation upon wellknown retrie…

Author: damienbod

docs/site/angular-auth-oidc-client/docs/documentation/configuration.md

@@ -446,6 +446,14 @@ Sets the log level displayed in the console.
 
 Makes it possible to turn the `iss` validation off per configuration. **You should not turn this off!**
 
+### `strictIssuerValidationOnWellKnownRetrievalOff`
+
+
+- Type: `boolean`
+- Required: `false`
+
+Makes it possible to turn the strict issuer validation on well known retrieval off per configuration.
+
 ### `historyCleanupOff`
 
 - Type: `boolean`

projects/angular-auth-oidc-client/src/lib/config/auth-well-known/auth-well-known-data.service.spec.ts

@@ -271,6 +271,37 @@ describe('AuthWellKnownDataService', () => {
       });
     }));
 
+    it('throws no error if well known issuer does not match authwellknownUrl and validation is disabled', waitForAsync(() => {
+      const loggerSpy = spyOn(loggerService, 'logError');
+      const maliciousWellKnown = {
+        ...DUMMY_WELL_KNOWN_DOCUMENT,
+        issuer: DUMMY_MALICIOUS_URL
+      };
+
+      spyOn(dataService, 'get').and.returnValue(
+        createRetriableStream(
+          of(maliciousWellKnown)
+        )
+      );
+
+      const config = {
+        configId: 'configId1',
+        authWellknownEndpointUrl: DUMMY_WELL_KNOWN_DOCUMENT.issuer,
+        strictIssuerValidationOnWellKnownRetrievalOff: true,
+      };
+
+      service.getWellKnownEndPointsForConfig(config).subscribe({
+        next: (result) => {
+          expect(result.issuer).toBe(DUMMY_MALICIOUS_URL);
+          expect(loggerSpy).not.toHaveBeenCalled();
+        },
+        error: (err) => {
+          fail(err);
+        },
+      });
+    }));
+
+
     it('should not throws error and logs if well known issuer has a trailing slash compared to authwellknownUrl ', waitForAsync(() => {
       const trailingSlashIssuerWellKnown = {
         ...DUMMY_WELL_KNOWN_DOCUMENT,

projects/angular-auth-oidc-client/src/lib/config/auth-well-known/auth-well-known-data.service.ts

@@ -53,7 +53,7 @@ export class AuthWellKnownDataService {
           const wellKnownSuffix = config.authWellknownUrlSuffix || WELL_KNOWN_SUFFIX;
           const configuredWellKnownEndpoint = authWellknownEndpointUrl.replace(wellKnownSuffix, "");
 
-          if (issuer !== configuredWellKnownEndpoint && issuer !== `${configuredWellKnownEndpoint}/`) {
+          if (!config.strictIssuerValidationOnWellKnownRetrievalOff && issuer !== configuredWellKnownEndpoint && issuer !== `${configuredWellKnownEndpoint}/`) {
             const errorMessage = `Issuer mismatch. Well known issuer ${wellKnownEndpoints.issuer} does not match configured well known url ${authWellknownEndpointUrl}`;
 
             this.loggerService.logError(config, errorMessage);

projects/angular-auth-oidc-client/src/lib/config/default-config.ts

@@ -28,6 +28,7 @@ export const DEFAULT_CONFIG: OpenIdConfiguration = {
   triggerAuthorizationResultEvent: false,
   logLevel: LogLevel.Warn,
   issValidationOff: false,
+  strictIssuerValidationOnWellKnownRetrievalOff: false,
   historyCleanupOff: false,
   maxIdTokenIatOffsetAllowedInSeconds: 120,
   disableIatOffsetValidation: false,

projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts

@@ -132,6 +132,8 @@ export interface OpenIdConfiguration {
   logLevel?: LogLevel;
   /** Make it possible to turn off the iss validation per configuration. **You should not turn this off!** */
   issValidationOff?: boolean;
+  /** Skip validation of issuer against well-known url */
+  strictIssuerValidationOnWellKnownRetrievalOff?: boolean;
   /**
    * If this is active, the history is not cleaned up on an authorize callback.
    * This can be used when the application needs to preserve the history.