From 2cea4d73aaf68428f3b130b16e49dfbf7dabea67 Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Wed, 22 Apr 2026 21:14:29 +0200
Subject: [PATCH] fix(oidc): normalize discovery doc issuer before comparison

Trailing slash in doc.issuer (e.g. Authentik) caused a mismatch against
the already-normalized configured issuer, breaking OIDC login entirely.

Closes #834
---
 server/src/services/oidcService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/services/oidcService.ts b/server/src/services/oidcService.ts
index db0ef8ad..786fd637 100644
--- a/server/src/services/oidcService.ts
+++ b/server/src/services/oidcService.ts
@@ -143,7 +143,7 @@ export async function discover(issuer: string, discoveryUrl?: string | null): Pr
   // Validate that the discovery doc's issuer matches the operator-configured
   // one. A MITM or compromised doc could otherwise supply a crafted issuer
   // that passes jwt.verify() because we used doc.issuer as the expected value.
-  if (doc.issuer && doc.issuer !== issuer) {
+  if (doc.issuer && doc.issuer.replace(/\/+$/, '') !== issuer) {
     throw new Error(`OIDC discovery issuer mismatch: expected "${issuer}", got "${doc.issuer}"`);
   }
   doc._issuer = url;