Fix OIDC well-known discovery for subdirectories (#9540)

* Fix OIDC well-known discovery for subdirectories - Fix URL construction in fetchOIDCConfiguration to properly handle issuer URLs with subdirectories - Replace incorrect use of new URL() constructor that was treating well-known path as absolute - Add proper path concatenation that preserves subdirectories in issuer URLs - Add comprehensive test cases for subdirectory scenarios - Fixes issue where https://auth.example.com/application/o/outline/ would incorrectly resolve to https://auth.example.com/.well-known/openid-configuration instead of https://auth.example.com/application/o/outline/.well-known/openid-configuration Fixes #9535 * Refactor to use wellKnownPath variable instead of hardcoded path - Use wellKnownPath.substring(1) to remove leading slash when appending to pathname - Eliminates duplication of the .well-known/openid-configuration path - Improves maintainability by using the existing variable consistently * Simplify logic by checking pathname does not end with slash - If pathname doesn't end with slash, append full wellKnownPath (with leading slash) - If pathname ends with slash, append wellKnownPath without leading slash - Eliminates need for substring() by using the slash logic more elegantly --------- Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
2026-05-06 10:00:20 -05:00 · 2025-07-04 08:01:55 -04:00
parent d57c991d06
commit 3fd09ca0bf
2 changed files with 98 additions and 3 deletions
@@ -97,4 +97,84 @@ describe("fetchOIDCConfiguration", () => {
      "Missing authorization_endpoint in OIDC configuration"
    );
  });
+
+  it("should handle issuer URL with subdirectory path", async () => {
+    const mockConfig = {
+      issuer: "https://auth.example.com/application/o/outline/",
+      authorization_endpoint:
+        "https://auth.example.com/application/o/outline/auth",
+      token_endpoint: "https://auth.example.com/application/o/outline/token",
+      userinfo_endpoint:
+        "https://auth.example.com/application/o/outline/userinfo",
+    };
+
+    fetchMock.mockResponseOnce(JSON.stringify(mockConfig));
+
+    const result = await fetchOIDCConfiguration(
+      "https://auth.example.com/application/o/outline/"
+    );
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      "https://auth.example.com/application/o/outline/.well-known/openid-configuration",
+      expect.objectContaining({
+        method: "GET",
+        headers: expect.objectContaining({
+          Accept: "application/json",
+        }),
+      })
+    );
+
+    expect(result).toEqual(mockConfig);
+  });
+
+  it("should handle issuer URL with subdirectory path without trailing slash", async () => {
+    const mockConfig = {
+      issuer: "https://auth.example.com/application/o/outline",
+      authorization_endpoint:
+        "https://auth.example.com/application/o/outline/auth",
+      token_endpoint: "https://auth.example.com/application/o/outline/token",
+      userinfo_endpoint:
+        "https://auth.example.com/application/o/outline/userinfo",
+    };
+
+    fetchMock.mockResponseOnce(JSON.stringify(mockConfig));
+
+    const result = await fetchOIDCConfiguration(
+      "https://auth.example.com/application/o/outline"
+    );
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      "https://auth.example.com/application/o/outline/.well-known/openid-configuration",
+      expect.objectContaining({
+        method: "GET",
+        headers: expect.objectContaining({
+          Accept: "application/json",
+        }),
+      })
+    );
+
+    expect(result).toEqual(mockConfig);
+  });
+
+  it("should handle issuer URL that already contains well-known path", async () => {
+    const mockConfig = {
+      issuer: "https://example.com",
+      authorization_endpoint: "https://example.com/auth",
+      token_endpoint: "https://example.com/token",
+      userinfo_endpoint: "https://example.com/userinfo",
+    };
+
+    fetchMock.mockResponseOnce(JSON.stringify(mockConfig));
+
+    const result = await fetchOIDCConfiguration(
+      "https://example.com/.well-known/openid-configuration"
+    );
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      "https://example.com/.well-known/openid-configuration",
+      expect.any(Object)
+    );
+
+    expect(result).toEqual(mockConfig);
+  });
 });
@@ -25,9 +25,24 @@ export async function fetchOIDCConfiguration(
 ): Promise<OIDCConfiguration> {
  try {
    const wellKnownPath = "/.well-known/openid-configuration";
-    const wellKnownUrl = issuerUrl.includes(wellKnownPath)
-      ? issuerUrl
-      : new URL(wellKnownPath, issuerUrl).toString();
+
+    let wellKnownUrl: string;
+
+    // If the issuer URL already includes the well-known path, use it as-is
+    if (issuerUrl.includes(wellKnownPath)) {
+      wellKnownUrl = issuerUrl;
+    } else {
+      // Properly append well-known path to the issuer URL path
+      const url = new URL(issuerUrl);
+      // If pathname doesn't end with slash, append the full wellKnownPath (with leading slash)
+      if (!url.pathname.endsWith("/")) {
+        url.pathname += wellKnownPath;
+      } else {
+        // If pathname ends with slash, append wellKnownPath without leading slash
+        url.pathname += wellKnownPath.substring(1);
+      }
+      wellKnownUrl = url.toString();
+    }

    Logger.info("plugins", `Fetching OIDC configuration from ${wellKnownUrl}`);