fix: remove trailing slash from the issuer in oauth claims (#8028)

- Trim the ending slash '/' from the URL used in the OpenID Connect "well_known" endpoint and in the JWT tokens issued by Forgejo. - This makes it compliant with the OpenID specification. https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig - Resolves #7941 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8028 Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: jmaasing <jmaasing@noreply.codeberg.org> Co-committed-by: jmaasing <jmaasing@noreply.codeberg.org>
2025-10-13 04:32:27 +00:00 · 2025-06-10 20:46:17 +02:00 · 2025-06-10 20:46:17 +02:00 · 5391f43888
commit 5391f43888
parent 9b6e3b61cf
4 changed files with 20 additions and 4 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -225,7 +225,7 @@ func newAccessTokenResponse(ctx go_context.Context, grant *auth.OAuth2Grant, ser
 		idToken := &oauth2.OIDCToken{
 			RegisteredClaims: jwt.RegisteredClaims{
 				ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
-				Issuer:    setting.AppURL,
+				Issuer:    strings.TrimSuffix(setting.AppURL, "/"),
 				Audience:  []string{app.ClientID},
 				Subject:   fmt.Sprint(grant.UserID),
 			},
@ -409,7 +409,7 @@ func IntrospectOAuth(ctx *context.Context) {
 			if err == nil && app != nil {
 				response.Active = true
 				response.Scope = grant.Scope
-				response.Issuer = setting.AppURL
+				response.Issuer = strings.TrimSuffix(setting.AppURL, "/")
 				response.Audience = []string{app.ClientID}
 				response.Subject = fmt.Sprint(grant.UserID)
 			}
@ -669,6 +669,7 @@ func GrantApplicationOAuth(ctx *context.Context) {
 // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
 func OIDCWellKnown(ctx *context.Context) {
 	ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
+	ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/")
 	ctx.JSONTemplate("user/auth/oidc_wellknown")
 }