Check Issuer on Config Load

README.md

@@ -117,7 +117,7 @@ init(_Args) ->
 ```elixir
 {:ok, _pid} =
   Oidcc.ProviderConfiguration.Worker.start_link(%{
-  issuer: "https://accounts.google.com/",
+  issuer: "https://accounts.google.com",
   name: Myapp.OidccConfigProvider
 })
 ```

lib/oidcc.ex

@@ -6,14 +6,14 @@ defmodule Oidcc do
 
       {:ok, _pid} =
         Oidcc.ProviderConfiguration.Worker.start_link(%{
-        issuer: "https://accounts.google.com/",
+        issuer: "https://accounts.google.com",
         name: MyApp.GoogleConfigProvider
       })
 
   or via a supervisor
 
       Supervisor.init([
-        {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com/"}}
+        {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com"}}
       ], strategy: :one_for_one)
 
   ## Global Configuration
@@ -30,7 +30,7 @@ defmodule Oidcc do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...>
       ...> {:ok, _redirect_uri} =
@@ -65,7 +65,7 @@ defmodule Oidcc do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> # Get auth_code fromm redirect
@@ -108,7 +108,7 @@ defmodule Oidcc do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> # Get refresh_token fromm redirect
@@ -164,7 +164,7 @@ defmodule Oidcc do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> Oidcc.introspect_token(
@@ -218,7 +218,7 @@ defmodule Oidcc do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> # Get access_token from Oidcc.Token.retrieve/3

lib/oidcc/authorization.ex

@@ -16,7 +16,7 @@ defmodule Oidcc.Authorization do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://accounts.google.com/"
+      ...>     issuer: "https://accounts.google.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =

lib/oidcc/client_context.ex

@@ -31,7 +31,7 @@ defmodule Oidcc.ClientContext do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/",
+      ...>   issuer: "https://accounts.google.com",
       ...>   name: __MODULE__.GoogleConfigProvider
       ...> })
       ...>

lib/oidcc/provider_configuration/worker.ex

@@ -8,7 +8,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
   ```elixir
   Supervisor.init([
-    {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com/"}}
+    {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com"}}
   ], strategy: :one_for_one)
   ```
   """
@@ -33,7 +33,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, _pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/",
+      ...>   issuer: "https://accounts.google.com",
       ...>   name: __MODULE__.GoogleConfigProvider
       ...> })
   """
@@ -64,7 +64,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...> %Oidcc.ProviderConfiguration{issuer: "https://accounts.google.com"} =
       ...>   Oidcc.ProviderConfiguration.Worker.get_provider_configuration(pid)
@@ -84,7 +84,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...> %JOSE.JWK{} =
       ...>   Oidcc.ProviderConfiguration.Worker.get_jwks(pid)
@@ -104,7 +104,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...> :ok = Oidcc.ProviderConfiguration.Worker.refresh_configuration(pid)
   """
@@ -120,7 +120,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...> :ok = Oidcc.ProviderConfiguration.Worker.refresh_jwks(pid)
   """
@@ -136,7 +136,7 @@ defmodule Oidcc.ProviderConfiguration.Worker do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>   issuer: "https://accounts.google.com/"
+      ...>   issuer: "https://accounts.google.com"
       ...> })
       ...> :ok = Oidcc.ProviderConfiguration.Worker.refresh_jwks_for_unknown_kid(pid, "kid")
   """

lib/oidcc/token.ex

@@ -126,7 +126,7 @@ defmodule Oidcc.Token do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =
@@ -172,7 +172,7 @@ defmodule Oidcc.Token do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =
@@ -228,7 +228,7 @@ defmodule Oidcc.Token do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =

lib/oidcc/token_introspection.ex

@@ -60,7 +60,7 @@ defmodule Oidcc.TokenIntrospection do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =

lib/oidcc/userinfo.ex

@@ -46,7 +46,7 @@ defmodule Oidcc.Userinfo do
 
       iex> {:ok, pid} =
       ...>   Oidcc.ProviderConfiguration.Worker.start_link(%{
-      ...>     issuer: "https://login.yahoo.com"
+      ...>     issuer: "https://api.login.yahoo.com"
       ...>   })
       ...>
       ...> {:ok, client_context} =

src/oidcc_provider_configuration.erl

@@ -43,7 +43,7 @@
 %% </ul>
 
 -type t() ::
     #oidcc_provider_configuration{
         issuer :: uri_string:uri_string(),
         authorization_endpoint :: uri_string:uri_string(),
         token_endpoint :: uri_string:uri_string() | undefined,
@@ -119,6 +119,7 @@
             | alg_no_none,
         Field :: atom()
     }}
+    | {issuer_mismatch, Issuer :: binary()}
     | oidcc_http_util:error().
 
 -define(DEFAULT_CONFIG_EXPIRY, timer:minutes(15)).
@@ -180,17 +181,20 @@
 when
     Issuer :: uri_string:uri_string(),
     Opts :: opts().
-load_configuration(Issuer, Opts) ->
+load_configuration(Issuer0, Opts) ->
+    Issuer = binary:list_to_bin([Issuer0]),
     TelemetryOpts = #{topic => [oidcc, load_configuration], extra_meta => #{issuer => Issuer}},
     RequestOpts = maps:get(request_opts, Opts, #{}),
     Request = {[Issuer, <<"/.well-known/openid-configuration">>], []},
 
     maybe
         {ok, {{json, ConfigurationMap}, Headers}} ?= oidcc_http_util:request(get, Request, TelemetryOpts, RequestOpts),
         Expiry = headers_to_deadline(Headers, Opts),
-        {ok, Configuration} ?= decode_configuration(ConfigurationMap),
+        {ok, #oidcc_provider_configuration{issuer = Issuer} = Configuration}
+            ?= decode_configuration(ConfigurationMap),
         {ok, {Configuration, Expiry}}
     else
+        {ok, #oidcc_provider_configuration{issuer = DifferentIssuer}} -> {error, {issuer_mismatch, DifferentIssuer}};
         {error, Reason} -> {error, Reason};
         {ok, {{_Format, _Body}, _Headers}} -> {error, invalid_content_type}
     end.

src/oidcc_provider_configuration_worker.erl

@@ -220,7 +220,15 @@ get_jwks(Name) ->
 %% @since 3.0.0
 -spec refresh_configuration(Name :: gen_server:server_ref()) -> ok.
 refresh_configuration(Name) ->
-    gen_server:cast(Name, refresh_configuration).
+    refresh_configuration(Name, true).
+
+-spec refresh_configuration(Name :: gen_server:server_ref(), Synchronous :: boolean()) -> ok.
+refresh_configuration(Name, false) ->
+    gen_server:cast(Name, refresh_configuration);
+refresh_configuration(Name, true) ->
+    refresh_configuration(Name, false),
+    gen_server:call(Name, get_provider_configuration),
+    ok.
 
 %% @doc Refresh JWKs
 %%
@@ -239,8 +247,15 @@ refresh_configuration(Name) ->
 %% @end
 %% @since 3.0.0
 -spec refresh_jwks(Name :: gen_server:server_ref()) -> ok.
-refresh_jwks(Name) ->
-    gen_server:cast(Name, refresh_jwks).
+refresh_jwks(Name) -> refresh_jwks(Name, true).
+
+-spec refresh_jwks(Name :: gen_server:server_ref(), Synchronous :: boolean()) -> ok.
+refresh_jwks(Name, false) ->
+    gen_server:cast(Name, refresh_jwks);
+refresh_jwks(Name, true) ->
+    refresh_jwks(Name, false),
+    gen_server:call(Name, get_jwks),
+    ok.
 
 %% @doc Refresh JWKs if the provided `Kid' is not matching any currently loaded keys
 %%
@@ -259,7 +274,18 @@ refresh_jwks(Name) ->
 -spec refresh_jwks_for_unknown_kid(Name :: gen_server:server_ref(), Kid :: binary()) ->
     ok.
 refresh_jwks_for_unknown_kid(Name, Kid) ->
-    gen_server:cast(Name, {refresh_jwks_for_unknown_kid, Kid}).
+    refresh_jwks_for_unknown_kid(Name, Kid, true).
+
+-spec refresh_jwks_for_unknown_kid(
+    Name :: gen_server:server_ref(), Kid :: binary(), Synchronous :: boolean()
+) ->
+    ok.
+refresh_jwks_for_unknown_kid(Name, Kid, false) ->
+    gen_server:cast(Name, {refresh_jwks_for_unknown_kid, Kid});
+refresh_jwks_for_unknown_kid(Name, Kid, true) ->
+    refresh_jwks_for_unknown_kid(Name, Kid, false),
+    gen_server:call(Name, get_jwks),
+    ok.
 
 -spec get_issuer(Opts :: opts()) -> {ok, binary()} | {error, issuer_required}.
 get_issuer(Opts) ->

test/oidcc/authorization_test.exs

@@ -9,7 +9,7 @@ defmodule Oidcc.AuthorizationTest do
     test "works" do
       pid =
         start_supervised!(
-          {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com/"}}
+          {Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com"}}
         )
 
       {:ok, client_context} =

test/oidcc/client_context_test.exs

@@ -10,7 +10,7 @@ defmodule Oidcc.ClientContextTest do
       pid =
         start_supervised!(
           {Oidcc.ProviderConfiguration.Worker,
-           %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+           %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
         )
 
       assert {:ok, %Oidcc.ClientContext{}} =

test/oidcc/provider_configuration/worker_test.exs

@@ -9,7 +9,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
   describe inspect(&Worker.start_link/1) do
     test "works" do
       start_supervised!(
-        {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+        {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
       )
     end
   end
@@ -18,7 +18,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
     test "works" do
       pid =
         start_supervised!(
-          {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+          {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
         )
 
       assert %ProviderConfiguration{issuer: "https://accounts.google.com"} =
@@ -29,7 +29,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
   describe inspect(&Worker.get_jwks/1) do
     test "works" do
       start_supervised!(
-        {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+        {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
       )
 
       assert %JOSE.JWK{} =
@@ -41,7 +41,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
     test "works" do
       pid =
         start_supervised!(
-          {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+          {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
         )
 
       assert :ok = Worker.refresh_configuration(pid)
@@ -52,7 +52,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
     test "works" do
       pid =
         start_supervised!(
-          {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+          {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
         )
 
       assert :ok = Worker.refresh_jwks(pid)
@@ -63,7 +63,7 @@ defmodule Oidcc.ProviderConfiguration.WorkerTest do
     test "works" do
       pid =
         start_supervised!(
-          {Worker, %{issuer: "https://accounts.google.com/", name: __MODULE__.GoogleProvider}}
+          {Worker, %{issuer: "https://accounts.google.com", name: __MODULE__.GoogleProvider}}
         )
 
       assert :ok = Worker.refresh_jwks_for_unknown_kid(pid, "kid")

test/oidcc_client_context_SUITE.erl

@@ -13,7 +13,7 @@ all() ->
 from_configuration_worker(_Config) ->
     {ok, GoogleConfigurationPid} =
         oidcc_provider_configuration_worker:start_link(#{
-            issuer => <<"https://accounts.google.com/">>,
+            issuer => <<"https://accounts.google.com">>,
             name => {local, from_configuration_worker_oidcc_client_context_SUITE}
         }),