From 3d2ee4e7bee8d760f9ce0c49be788fcc14ac2e8f Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Thu, 18 Aug 2016 16:37:50 -0700 Subject: [PATCH] oidc auth provider: don't trim issuer URL This mirrors a similar side fix for the API server authenticator. Don't trim the issuer URL provided by the user since OpenID Connect mandates that this URL exactly matches the URL returned by the issuer during discovery. Not test updates since this is already tested by the go-oidc client package. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation --- plugin/pkg/client/auth/oidc/oidc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pkg/client/auth/oidc/oidc.go b/plugin/pkg/client/auth/oidc/oidc.go index 690a452307f..155bb486733 100644 --- a/plugin/pkg/client/auth/oidc/oidc.go +++ b/plugin/pkg/client/auth/oidc/oidc.go @@ -97,7 +97,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A } hc := &http.Client{Transport: trans} - providerCfg, err := oidc.FetchProviderConfig(hc, strings.TrimSuffix(issuer, "/")) + providerCfg, err := oidc.FetchProviderConfig(hc, issuer) if err != nil { return nil, fmt.Errorf("error fetching provider config: %v", err) }