From c2830be0b9f82f7941548e1282893259e1347b89 Mon Sep 17 00:00:00 2001
From: ouam <ouam@mylittlemess.fr>
Date: Sat, 28 Feb 2026 17:56:40 +0100
Subject: [PATCH] docs: clarify OIDC_ISSUER must not have a trailing slash

A trailing slash in OIDC_ISSUER causes two silent failures:
1. The discovery request to /.well-known/openid-configuration gets
   a double slash in the URL, which may result in a 404.
2. The iss claim in the returned JWT (e.g. https://auth.example.com)
   does not match the configured issuer (https://auth.example.com/),
   causing token validation to fail with a 401 Unauthorized error.

This is a non-obvious gotcha that is hard to debug since Ghostfolio
does not surface the underlying iss mismatch error to the user.

Ref: https://github.com/ghostfolio/ghostfolio/discussions/4427
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3be15e49f..5f5bcc8ac 100644
--- a/README.md
+++ b/README.md
@@ -115,7 +115,7 @@ We provide official container images hosted on [Docker Hub](https://hub.docker.c
 | `OIDC_CALLBACK_URL`        | `string` (optional)   | `${ROOT_URL}/api/auth/oidc/callback` | The OIDC callback URL                                                                                |
 | `OIDC_CLIENT_ID`           | `string`              |                                      | The OIDC client ID                                                                                   |
 | `OIDC_CLIENT_SECRET`       | `string`              |                                      | The OIDC client secret                                                                               |
-| `OIDC_ISSUER`              | `string`              |                                      | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration` |
+| `OIDC_ISSUER`              | `string`              |                                      | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration`. Must **not** include a trailing slash (e.g. `https://auth.example.com`, not `https://auth.example.com/`) — a trailing slash breaks discovery and `iss` claim validation. |
 | `OIDC_SCOPE`               | `string[]` (optional) | `["openid"]`                         | The OIDC scope to request, e.g. `["email","openid","profile"]`                                       |
 | `OIDC_TOKEN_URL`           | `string` (optional)   |                                      | Manual override for the OIDC token endpoint (falls back to the discovery from the issuer)            |
 | `OIDC_USER_INFO_URL`       | `string` (optional)   |                                      | Manual override for the OIDC user info endpoint (falls back to the discovery from the issuer)        |