ory · aeneasr · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
diff --git a/driver/config/provider.go b/driver/config/provider.go
@@ -314,9 +314,7 @@ func (p *DefaultProvider) PublicURL(ctx context.Context) *url.URL {
 }
 
 func (p *DefaultProvider) IssuerURL(ctx context.Context) *url.URL {
-	issuerURL := p.getProvider(ctx).RequestURIF(KeyIssuerURL, p.fallbackURL(ctx, "/", p.host(PublicInterface), p.port(PublicInterface)))
-	issuerURL.Path = strings.TrimRight(issuerURL.Path, "/") + "/"
-	return urlRoot(issuerURL)
+	return p.getProvider(ctx).RequestURIF(KeyIssuerURL, p.fallbackURL(ctx, "/", p.host(PublicInterface), p.port(PublicInterface)))
 }
 
 func (p *DefaultProvider) OAuth2ClientRegistrationURL(ctx context.Context) *url.URL {

diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
@@ -153,7 +153,7 @@ func TestProviderIssuerURL(t *testing.T) {
 	l.Logrus().SetOutput(ioutil.Discard)
 	p := MustNew(context.Background(), l)
 	p.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
-	assert.Equal(t, "http://hydra.localhost/", p.IssuerURL(ctx).String())
+	assert.Equal(t, "http://hydra.localhost", p.IssuerURL(ctx).String())
 
 	p2 := MustNew(context.Background(), l)
 	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost/")
@@ -168,7 +168,7 @@ func TestProviderIssuerPublicURL(t *testing.T) {
 	p.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
 	p.MustSet(ctx, KeyPublicURL, "http://hydra.example")
 
-	assert.Equal(t, "http://hydra.localhost/", p.IssuerURL(ctx).String())
+	assert.Equal(t, "http://hydra.localhost", p.IssuerURL(ctx).String())
 	assert.Equal(t, "http://hydra.example/", p.PublicURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p.JWKSURL(ctx).String())
 	assert.Equal(t, "http://hydra.example/oauth2/fallbacks/consent", p.ConsentURL(ctx).String())
@@ -179,7 +179,7 @@ func TestProviderIssuerPublicURL(t *testing.T) {
 	assert.Equal(t, "http://hydra.example/userinfo", p.OIDCDiscoveryUserinfoEndpoint(ctx).String())
 
 	p2 := MustNew(context.Background(), l)
-	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost")
+	p2.MustSet(ctx, KeyIssuerURL, "http://hydra.localhost/")
 	assert.Equal(t, "http://hydra.localhost/", p2.IssuerURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/", p2.PublicURL(ctx).String())
 	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p2.JWKSURL(ctx).String())
@@ -282,7 +282,7 @@ func TestViperProviderValidates(t *testing.T) {
 	assert.Equal(t, []string{"whatever"}, c.DefaultClientScope(ctx))
 
 	// urls
-	assert.Equal(t, urlx.ParseOrPanic("https://issuer/"), c.IssuerURL(ctx))
+	assert.Equal(t, urlx.ParseOrPanic("https://issuer"), c.IssuerURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://public/"), c.PublicURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://login/"), c.LoginURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://consent/"), c.ConsentURL(ctx))

diff --git a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=false.json
@@ -1,5 +1,5 @@
 {
-  "issuer": "http://hydra.localhost/",
+  "issuer": "http://hydra.localhost",
   "authorization_endpoint": "http://hydra.localhost/oauth2/auth",
   "registration_endpoint": "http://client-register/registration",
   "token_endpoint": "http://hydra.localhost/oauth2/token",

diff --git a/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json b/oauth2/.snapshots/TestHandlerWellKnown-hsm_enabled=true.json
@@ -1,5 +1,5 @@
 {
-  "issuer": "http://hydra.localhost/",
+  "issuer": "http://hydra.localhost",
   "authorization_endpoint": "http://hydra.localhost/oauth2/auth",
   "registration_endpoint": "http://client-register/registration",
   "token_endpoint": "http://hydra.localhost/oauth2/token",

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -237,7 +237,7 @@ func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	h.r.Writer().Write(w, r, &WellKnown{
-		Issuer:                                 strings.TrimRight(h.c.IssuerURL(r.Context()).String(), "/") + "/",
+		Issuer:                                 h.c.IssuerURL(r.Context()).String(),
 		AuthURL:                                h.c.OAuth2AuthURL(r.Context()).String(),
 		TokenURL:                               h.c.OAuth2TokenURL(r.Context()).String(),
 		JWKsURI:                                h.c.JWKSURL(r.Context()).String(),
@@ -506,7 +506,7 @@ func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ ht
 		Username:          session.GetUsername(),
 		Extra:             session.Extra,
 		Audience:          audience,
-		Issuer:            strings.TrimRight(h.c.IssuerURL(ctx).String(), "/") + "/",
+		Issuer:            h.c.IssuerURL(ctx).String(),
 		ObfuscatedSubject: obfuscated,
 		TokenType:         resp.GetAccessTokenType(),
 		TokenUse:          string(resp.GetTokenUse()),
@@ -616,7 +616,7 @@ func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		session.ClientID = accessRequest.GetClient().GetID()
 		session.KID = accessTokenKeyID
-		session.DefaultSession.Claims.Issuer = strings.TrimRight(h.c.IssuerURL(r.Context()).String(), "/") + "/"
+		session.DefaultSession.Claims.Issuer = h.c.IssuerURL(r.Context()).String()
 		session.DefaultSession.Claims.IssuedAt = time.Now().UTC()
 
 		var scopes = accessRequest.GetRequestedScopes()
@@ -749,9 +749,8 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 
 	authorizeRequest.SetID(session.ID)
 	claims := &jwt.IDTokenClaims{
-		Subject: obfuscatedSubject,
-		Issuer:  strings.TrimRight(h.c.IssuerURL(ctx).String(), "/") + "/",
-
+		Subject:                             obfuscatedSubject,
+		Issuer:                              h.c.IssuerURL(ctx).String(),
 		AuthTime:                            time.Time(session.AuthenticatedAt),
 		RequestedAt:                         session.RequestedAt,
 		Extra:                               session.Session.IDToken,

diff --git a/oauth2/introspector_test.go b/oauth2/introspector_test.go
@@ -137,7 +137,7 @@ func TestIntrospectorSDK(t *testing.T) {
 					assert.Equal(t, "alice", c.Sub)
 					assert.Equal(t, now.Add(time.Hour).Unix(), c.Exp, "expires at")
 					assert.Equal(t, now.Unix(), c.Iat, "issued at")
-					assert.Equal(t, "https://foobariss/", c.Iss, "issuer")
+					assert.Equal(t, "https://foobariss", c.Iss, "issuer")
 					assert.Equal(t, map[string]interface{}{"foo": "bar"}, c.Ext)
 				},
 			},
@@ -151,7 +151,7 @@ func TestIntrospectorSDK(t *testing.T) {
 					assert.Equal(t, "alice", c.Sub)
 					assert.Equal(t, now.Add(time.Hour).Unix(), c.Exp, "expires at")
 					assert.Equal(t, now.Unix(), c.Iat, "issued at")
-					assert.Equal(t, "https://foobariss/", c.Iss, "issuer")
+					assert.Equal(t, "https://foobariss", c.Iss, "issuer")
 					assert.Equal(t, map[string]interface{}{"foo": "bar"}, c.Ext)
 				},
 			},

diff --git a/test/e2e/circle-ci.bash b/test/e2e/circle-ci.bash
@@ -37,7 +37,7 @@ fi
 # Install consent app
 (cd oauth2-client; PORT=5002 HYDRA_ADMIN_URL=http://127.0.0.1:5001 npm run consent > ../login-consent-logout.e2e.log 2>&1 &)
 
-export URLS_SELF_ISSUER=http://127.0.0.1:5004
+export URLS_SELF_ISSUER=http://127.0.0.1:5004/
 export URLS_CONSENT=http://127.0.0.1:5002/consent
 export URLS_LOGIN=http://127.0.0.1:5002/login
 export URLS_LOGOUT=http://127.0.0.1:5002/logout

diff --git a/test/e2e/docker-compose.yml b/test/e2e/docker-compose.yml
@@ -12,7 +12,7 @@ services:
     command:
       serve all --dangerous-force-http
     environment:
-      - URLS_SELF_ISSUER=http://127_0_0_1:5004
+      - URLS_SELF_ISSUER=http://127_0_0_1:5004/
       - URLS_CONSENT=http://127_0_0_1:5002/consent
       - URLS_LOGIN=http://127_0_0_1:5002/login
       - URLS_LOGOUT=http://127_0_0_1:5002/logout

diff --git a/test/e2e/oauth2-client/src/index.js b/test/e2e/oauth2-client/src/index.js
@@ -401,17 +401,10 @@ app.post('/openid/session/end/bc', (req, res) => {
     cache: false
   })
 
-  console.log({ logout_token: req.body.logout_token })
-
   jwt.verify(
     req.body.logout_token,
     (header, callback) => {
       client.getSigningKey(header.kid, (err, key) => {
-        console.log({
-          err,
-          header,
-          key
-        })
         if (err) {
           console.error(err)
           res.sendStatus(400)
@@ -454,22 +447,14 @@ app.post('/openid/session/end/bc', (req, res) => {
 
 app.get('/openid/session/check', async (req, res) => {
   const { openid_claims: { sid = '' } = {} } = req.session
-  console.log({ session: req.session, blacklistedSid })
 
   if (blacklistedSid.indexOf(sid) > -1) {
-    console.log('BLACKLISTED', { session: req.session, blacklistedSid })
     req.session.destroy(() => {
       res.json({ has_session: false })
     })
     return
   }
 
-  console.log(
-    'BLACKLISTED',
-    req.session.oauth2_flow,
-    Boolean(req.session.openid_token),
-    Boolean(req.session.openid_claims)
-  )
   res.json({
     has_session:
       Boolean(req.session.oauth2_flow) ||