topaLE
/
ghostfolio
mirror of https://github.com/ghostfolio/ghostfolio
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

docs: clarify OIDC_ISSUER must not have a trailing slash 

A trailing slash in OIDC_ISSUER causes two silent failures:
1. The discovery request to /.well-known/openid-configuration gets
   a double slash in the URL, which may result in a 404.
2. The iss claim in the returned JWT (e.g. https://auth.example.com)
   does not match the configured issuer (https://auth.example.com/),
   causing token validation to fail with a 401 Unauthorized error.

This is a non-obvious gotcha that is hard to debug since Ghostfolio
does not surface the underlying iss mismatch error to the user.

Ref: https://github.com/ghostfolio/ghostfolio/discussions/4427
pull/6413/head
ouam 1 day ago
parent
0fee18908f
commit
c2830be0b9
1 changed files with 1 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      README.md

2
README.md
View File

@ -115,7 +115,7 @@ We provide official container images hosted on [Docker Hub](https://hub.docker.c
| `OIDC_CALLBACK_URL` | `string` (optional) | `${ROOT_URL}/api/auth/oidc/callback` | The OIDC callback URL | | `OIDC_CALLBACK_URL` | `string` (optional) | `${ROOT_URL}/api/auth/oidc/callback` | The OIDC callback URL |
| `OIDC_CLIENT_ID` | `string` | | The OIDC client ID | | `OIDC_CLIENT_ID` | `string` | | The OIDC client ID |
| `OIDC_CLIENT_SECRET` | `string` | | The OIDC client secret | | `OIDC_CLIENT_SECRET` | `string` | | The OIDC client secret |
| `OIDC_ISSUER` | `string` | | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration` | | `OIDC_ISSUER` | `string` | | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration`. Must **not** include a trailing slash (e.g. `https://auth.example.com`, not `https://auth.example.com/`) — a trailing slash breaks discovery and `iss` claim validation. |
| `OIDC_SCOPE` | `string[]` (optional) | `["openid"]` | The OIDC scope to request, e.g. `["email","openid","profile"]` | | `OIDC_SCOPE` | `string[]` (optional) | `["openid"]` | The OIDC scope to request, e.g. `["email","openid","profile"]` |
| `OIDC_TOKEN_URL` | `string` (optional) | | Manual override for the OIDC token endpoint (falls back to the discovery from the issuer) | | `OIDC_TOKEN_URL` | `string` (optional) | | Manual override for the OIDC token endpoint (falls back to the discovery from the issuer) |
| `OIDC_USER_INFO_URL` | `string` (optional) | | Manual override for the OIDC user info endpoint (falls back to the discovery from the issuer) | | `OIDC_USER_INFO_URL` | `string` (optional) | | Manual override for the OIDC user info endpoint (falls back to the discovery from the issuer) |

Write Preview
Loading…
Cancel
Save