68ac6122b6
This would previously not work correctly. If you did not include the path in OidcProvider#url, the issuer check would break. If you did include the path in OidcProvider#url, the CSP wouldn't allow the form submission, since it would go to the issuer URL and not the authorization endpoint URL. In OidcProvider.register, always use the issuer specified in the OIDC configuration. Also, allow the /.well-known/openid-configuration in subpaths and not just the top level. Have the url argument to the method accept a path that already ends with /.well-known/openid-configuration, and use it directly if so. In the CSP, remove the path, so it will allow all paths for the domain.
39 KiB
39 KiB