From 0e154073d5ec5b8b197c5c67829dec4f80b30597 Mon Sep 17 00:00:00 2001 From: carrvo Date: Thu, 28 Nov 2024 19:24:35 -0700 Subject: [PATCH] normalize issuer as a sanity check Inexperienced devs/users may not know whether to include a final slash (/) at the end of their issuer field in their metadata endpoint. Also, it seems some OIDC/OAuth modules may require there to NOT be a final slash (/) at the end of the issuer. This change is intended to make it less error prone overall. --- src/IndieAuth/Client.php | 2 +- tests/ClientTest.php | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/IndieAuth/Client.php b/src/IndieAuth/Client.php index 01eaa8e..638dacf 100644 --- a/src/IndieAuth/Client.php +++ b/src/IndieAuth/Client.php @@ -535,7 +535,7 @@ public static function validateIssuerMatch($params, $expected_issuer = '') { return new ErrorResponse('missing_iss', 'The authorization server did not return the iss parameter'); } - if ($params['iss'] !== $expected_issuer) { + if (self::normalizeMeURL($params['iss']) !== self::normalizeMeURL($expected_issuer)) { return new ErrorResponse('invalid_iss', 'The authorization server returned an invalid iss parameter'); } } diff --git a/tests/ClientTest.php b/tests/ClientTest.php index 12ffe22..f207ba3 100644 --- a/tests/ClientTest.php +++ b/tests/ClientTest.php @@ -75,6 +75,14 @@ public function testValidateIssuer() $this->assertNull($response); } + public function testValidateIssuerNormalizes() + { + $expected_issuer = 'https://issuer.example.com'; + $params = ['iss' => $expected_issuer]; + $response = Client::validateIssuerMatch($params, $expected_issuer.'/'); + $this->assertNull($response); + } + public function testValidateIssuerMissing() { $expected_issuer = 'https://issuer.example.com/';