I just started coding against the test environment for Signicat and ran in to an issue because my OIDC library refuses to configure using the configuration at https://login.signicat.io/.well-known/openid-configuration and https://login-test.signicat.io/.well-known/openid-configuration .
The reason for this is that the issuer field in the configuration lists https://login.idfy.no/ as the issuer, which is different from https://login-test.signicat.io. This is a violation of the OIDC Discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3 that states
"The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer."
On https://preprod.signicat.com/oidc/.well-known/openid-configuration and https://id.signicat.com/oidc/.well-known/openid-configuration correct issuer values are provided. However, my understanding is that these endpoints are deprecated, and I can't generate clients for these from the Signicat dashboard.
So far I'm working around this by bypassing OIDC Discovery, but it would be nice if this was compliant so I could use standard libraries for this. For reference, the library I'm trying to use is https://github.com/coreos/go-oidc There is a open issue about this on the library https://github.com/coreos/go-oidc/issues/250 where the library author recommends skipping discovery for non-compliant scenarios.
Please sign in to leave a comment.