fix: remove trailing slash from the issuer in oauth claims (#8028)

- Trim the ending slash '/' from the URL used in the OpenID Connect "well_known" endpoint and in the JWT tokens issued by Forgejo. - This makes it compliant with the OpenID specification. https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig - Resolves #7941 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8028 Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: jmaasing <jmaasing@noreply.codeberg.org> Co-committed-by: jmaasing <jmaasing@noreply.codeberg.org>
2025-06-25 18:40:51 +00:00 · 2025-06-10 20:46:17 +02:00 · 2025-06-10 20:46:17 +02:00 · 5391f43888
commit 5391f43888
parent 9b6e3b61cf
4 changed files with 20 additions and 4 deletions
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@ -632,6 +632,19 @@ func TestSignInOAuthCallbackPKCE(t *testing.T) {
 	})
 }

+func TestWellKnownDocumentIssuerDoesNotEndWithASlash(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	req := NewRequest(t, "GET", "/.well-known/openid-configuration")
+	resp := MakeRequest(t, req, http.StatusOK)
+	type response struct {
+		Issuer string `json:"issuer"`
+	}
+	parsed := new(response)
+
+	DecodeJSON(t, resp, parsed)
+	assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer)
+}
+
 func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

@ -697,7 +710,7 @@ func setupMockOIDCServer() *httptest.Server {
 		case "/.well-known/openid-configuration":
 			w.WriteHeader(http.StatusOK)
 			w.Write([]byte(`{
-				"issuer": "` + mockServer.URL + `",
+				"issuer": "` + strings.TrimSuffix(mockServer.URL, "/") + `",
 				"authorization_endpoint": "` + mockServer.URL + `/authorize",
 				"token_endpoint": "` + mockServer.URL + `/token",
 				"userinfo_endpoint": "` + mockServer.URL + `/userinfo"