Merge pull request #30944 from ericchiang/oidc-auth-provider-dont-trim-issuer

Automatic merge from submit-queue oidc auth provider: don't trim issuer URL This mirrors a similar side fix for the API server authenticator. Don't trim the issuer URL provided by the user since OpenID Connect mandates that this URL exactly matches the URL returned by the issuer during discovery. This change only impacts clients attempting to connect to providers that are non-spec compliant. No test updates since this is already tested by the go-oidc client package. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation Server side fix #29860 Updates #29749 cc @kubernetes/sig-auth @hanikesn
2025-08-01 07:47:56 +00:00 · 2016-08-19 15:48:46 -07:00 · 2016-08-19 15:48:46 -07:00 · 0341d3d358
commit 0341d3d358
parent 56045bbd6a 3d2ee4e7be
1 changed files with 1 additions and 1 deletions
--- a/plugin/pkg/client/auth/oidc/oidc.go
+++ b/plugin/pkg/client/auth/oidc/oidc.go
@ -97,7 +97,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 	}
 	hc := &http.Client{Transport: trans}

-	providerCfg, err := oidc.FetchProviderConfig(hc, strings.TrimSuffix(issuer, "/"))
+	providerCfg, err := oidc.FetchProviderConfig(hc, issuer)
 	if err != nil {
 		return nil, fmt.Errorf("error fetching provider config: %v", err)
 	}