From bb84e8af1364981016d77e8c6a2e3bc3145be6fe Mon Sep 17 00:00:00 2001
From: MaysWind <i@mayswind.net>
Date: Sun, 2 Nov 2025 01:37:52 +0800
Subject: [PATCH] support skipping issuer url verification in OIDC
 authentication

---
 conf/ezbookkeeping.ini                        |  5 +++-
 .../oauth2/provider/oidc/oidc_provider.go     | 25 +++++++++++++------
 pkg/settings/setting.go                       |  6 +++--
 3 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/conf/ezbookkeeping.ini b/conf/ezbookkeeping.ini
index 06a9c515..7813012e 100644
--- a/conf/ezbookkeeping.ini
+++ b/conf/ezbookkeeping.ini
@@ -316,9 +316,12 @@ oauth2_proxy = system
 # For "oauth2" authentication only, set to true to skip tls verification when request OAuth 2.0 api
 oauth2_skip_tls_verify = false
 
-# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider base url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com/", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
+# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider issuer url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
 oidc_provider_base_url =
 
+# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to check whether the issuer url in the discovery response matches the above "oidc_provider_base_url"
+oidc_provider_check_issuer_url = true
+
 # For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to replace the text "Connect ID" in the "Log in with Connect ID" button with the below custom provider name
 enable_oidc_display_name = false
 
diff --git a/pkg/auth/oauth2/provider/oidc/oidc_provider.go b/pkg/auth/oauth2/provider/oidc/oidc_provider.go
index b9cfe8ad..67f21555 100644
--- a/pkg/auth/oauth2/provider/oidc/oidc_provider.go
+++ b/pkg/auth/oauth2/provider/oidc/oidc_provider.go
@@ -1,7 +1,7 @@
 package oidc
 
 import (
-	"strings"
+	"context"
 
 	"golang.org/x/oauth2"
 
@@ -25,7 +25,8 @@ type OIDCClaims struct {
 // OIDCProvider represents OIDC provider
 type OIDCProvider struct {
 	provider.OAuth2Provider
-	oidcBaseUrl        string
+	oidcIssuerURL      string
+	oidcCheckIssuerURL bool
 	redirectUrl        string
 	oauth2ClientID     string
 	oauth2ClientSecret string
@@ -130,14 +131,23 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {
 		return p.oauth2Config, nil
 	}
 
-	oidcProvider, err := oidc.NewProvider(c, p.oidcBaseUrl)
+	var ctx context.Context = c
+
+	if !p.oidcCheckIssuerURL {
+		ctx = oidc.InsecureIssuerURLContext(c, p.oidcIssuerURL)
+	}
+
+	oidcProvider, err := oidc.NewProvider(ctx, p.oidcIssuerURL)
 
 	if err != nil {
 		log.Errorf(c, "[oidc_provider.getOAuth2Config] failed to create oidc provider, because %s", err.Error())
 		return nil, err
 	}
 
-	oidcVerifier := oidcProvider.Verifier(&oidc.Config{ClientID: p.oauth2ClientID})
+	oidcVerifier := oidcProvider.Verifier(&oidc.Config{
+		ClientID:        p.oauth2ClientID,
+		SkipIssuerCheck: !p.oidcCheckIssuerURL,
+	})
 
 	oauth2Config := &oauth2.Config{
 		ClientID:     p.oauth2ClientID,
@@ -155,14 +165,13 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {
 
 // NewOIDCProvider returns a new OIDC provider
 func NewOIDCProvider(config *settings.Config, redirectUrl string) (*OIDCProvider, error) {
-	if len(config.OAuth2OIDCProviderBaseUrl) < 1 {
+	if len(config.OAuth2OIDCProviderIssuerURL) < 1 {
 		return nil, errs.ErrInvalidOAuth2Config
 	}
 
-	baseUrl := strings.TrimSuffix(config.OAuth2OIDCProviderBaseUrl, "/")
-
 	return &OIDCProvider{
-		oidcBaseUrl:        baseUrl,
+		oidcIssuerURL:      config.OAuth2OIDCProviderIssuerURL,
+		oidcCheckIssuerURL: config.OAuth2OIDCProviderCheckIssuerURL,
 		redirectUrl:        redirectUrl,
 		oauth2ClientID:     config.OAuth2ClientID,
 		oauth2ClientSecret: config.OAuth2ClientSecret,
diff --git a/pkg/settings/setting.go b/pkg/settings/setting.go
index e8306fc4..92857d31 100644
--- a/pkg/settings/setting.go
+++ b/pkg/settings/setting.go
@@ -377,7 +377,8 @@ type Config struct {
 	OAuth2RequestTimeout              uint32
 	OAuth2Proxy                       string
 	OAuth2SkipTLSVerify               bool
-	OAuth2OIDCProviderBaseUrl         string
+	OAuth2OIDCProviderIssuerURL       string
+	OAuth2OIDCProviderCheckIssuerURL  bool
 	OAuth2OIDCCustomDisplayNameConfig MultiLanguageContentConfig
 	OAuth2NextcloudBaseUrl            string
 	OAuth2GiteaBaseUrl                string
@@ -1032,7 +1033,8 @@ func loadAuthConfiguration(config *Config, configFile *ini.File, sectionName str
 	config.OAuth2RequestTimeout = getConfigItemUint32Value(configFile, sectionName, "oauth2_request_timeout", defaultOAuth2RequestTimeout)
 	config.OAuth2SkipTLSVerify = getConfigItemBoolValue(configFile, sectionName, "oauth2_skip_tls_verify", false)
 
-	config.OAuth2OIDCProviderBaseUrl = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
+	config.OAuth2OIDCProviderIssuerURL = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
+	config.OAuth2OIDCProviderCheckIssuerURL = getConfigItemBoolValue(configFile, sectionName, "oidc_provider_check_issuer_url", true)
 	config.OAuth2OIDCCustomDisplayNameConfig = getMultiLanguageContentConfig(configFile, sectionName, "enable_oidc_display_name", "oidc_custom_display_name")
 	config.OAuth2NextcloudBaseUrl = getConfigItemStringValue(configFile, sectionName, "nextcloud_base_url")
 	config.OAuth2GiteaBaseUrl = getConfigItemStringValue(configFile, sectionName, "gitea_base_url")