From dfc3764bcc341aa4874872cc158d754a6230f4f3 Mon Sep 17 00:00:00 2001 From: Daniel Rosel Date: Fri, 3 Apr 2026 19:45:20 +0200 Subject: [PATCH] normalize discovery issuer path --- dlib/auth/oidc.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/dlib/auth/oidc.py b/dlib/auth/oidc.py index 689f62c..34c70b1 100644 --- a/dlib/auth/oidc.py +++ b/dlib/auth/oidc.py @@ -20,13 +20,14 @@ class TokenValidationError(Exception): pass -def _normalize_issuer(value: str | None) -> str | None: +def _normalize_issuer(value: str | None) -> tuple[str | None, str | None]: if not value: - return None - normalized = value.strip().rstrip("/") - if normalized.endswith("/application/o/authorize"): - normalized = normalized[: -len("/authorize")] - return normalized.rstrip("/") + return None, None + raw = value.strip().rstrip("/") + normalized = raw.replace("/application/o/authorize/", "/application/o/") + normalized = normalized.replace("/application/o/authorize", "/application/o") + normalized = normalized.rstrip("/") + return raw, normalized if normalized != raw else raw class OidcTokenValidator: @@ -38,16 +39,16 @@ class OidcTokenValidator: jwks_url: str | None = None, disable: bool = False, ) -> None: - normalized_issuer = _normalize_issuer(issuer) - self.issuer = normalized_issuer + raw_issuer, discovery_issuer = _normalize_issuer(issuer) + self.issuer = raw_issuer self.audience = audience self.jwks_url = jwks_url self.discovery_url = ( - f"{normalized_issuer.rstrip('/')}/.well-known/openid-configuration" - if normalized_issuer + f"{(discovery_issuer or raw_issuer).rstrip('/')}/.well-known/openid-configuration" + if (discovery_issuer or raw_issuer) else None ) - self.disable = disable or not normalized_issuer + self.disable = disable or not raw_issuer self._jwks: dict[str, Any] | None = None self._jwks_expiry: float = 0