Implement RFC 9207 issuer validation in ClientOAuthProvider#1605
Open
mikekistler wants to merge 1 commit into
Open
Implement RFC 9207 issuer validation in ClientOAuthProvider#1605mikekistler wants to merge 1 commit into
mikekistler wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements SEP-2468 — RFC 9207 issuer (
iss) parameter validation in the OAuth authorization flow.Closes #1571
Changes
AuthorizationResult— New class that returns both the authorization code and the validated issuer URI from the authorization redirect.ClientOAuthProvider— Validates theissparameter in authorization responses per RFC 9207, and validates that the authorization server metadataissuerfield matches the expected URI per RFC 8414 Section 3.3.AuthorizationRedirectDelegate— Updated signature to returnAuthorizationResult(containing issuer) instead of just a string code.AuthorizationServerMetadata— AddedIssuerproperty.ClientOAuthOptions— Updated to accommodate the new authorization result type.AuthorizationResultreturn type.RFC 9207 Behavior
issparameter in the authorization response, the client validates it matches the expected authorization server issuer.issueris validated against the expected URI per RFC 8414 Section 3.3.Known Issue
The
auth/2025-03-26-oauth-metadata-backcompatconformance test currently fails because it expects the client to tolerate an issuer mismatch in legacy metadata discovery. This is an intentional strictness choice per RFC 8414 — we may need to relax validation for this specific backward-compatibility scenario depending on spec discussion.