Unnecessarily picky on openid issuer #1195
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#1195
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Maybe that's intended, but this does not seem like a sensible distinction to me:
The problem is that this configuration depends on what the provider returns so we can't just always add a
/
at the end.can't it simply accept both?
Your provider might accept both, but as far as I understand it this is some sort of security measure to make sure the endpoint hasn't been tampered with. Basically Vikunja does a lookup to the provider's
.well-known
openid endpoint to get all urls it needs to actually do the openid login. Included in that url there's the issuer url which Vikunja partly used to get the openid info from the provider in the first place. It then compares the two and errors out if they don't match.I've looked briefly into changing it but there's no easy way to convince the library we're using to accept both. It's a lot easier to just change the configured value in Vikunja to match what the provider returns.