Verify JWT issuer constraint against the issuer url
maxtropets opened this issue · comments
In #5809 an issuer constraint has been added to match the issuer against the token.iss.
However the issuer url and the issuer constraint might differ
- For AAD, the issuer url might be
https://[login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
, but the constraint in the file ishttps://login.microsoftonline.com/{tenantid}/v2.0
, meaning that we probably should check the domain - However, for
https://limited.facebook.com/.well-known/openid-configuration/
has the issuer constrainthttps://www.facebook.com
, so probably we have to check the subdomain.
It's up to this ticket to make further investigation and decide how to proceed.