AS issuer validation failure #140
Description
Describe the bug
I'm currently working on implementing client-side OAuth in Go SDK and I'm running into a conformance test failure which I'm not sure is warranted, so I would like to consult.
The issue is related to Authorization Server Metadata handling. In metadata-var2 and metadata-var3 tests, the authorization server's issuer identifier contains a non-empty path component /tenant1. According to RFC 8141 section 3.3 a client must validate if the issuer value returned by the authorization server is the same as the identifier used to create the URL for the metadata. However, the AS returns a value with no path component, for example:
{
"id": "outgoing-auth-response",
"name": "Outgoing-auth-response",
"description": "Sent 200 response for GET /.well-known/oauth-authorization-server/tenant1",
"status": "INFO",
"timestamp": "2026-02-10T14:02:08.022Z",
"details": {
"method": "GET",
"path": "/.well-known/oauth-authorization-server/tenant1",
"statusCode": 200,
"headers": {
"x-powered-by": "Express",
"content-type": "application/json; charset=utf-8",
"content-length": "417",
"etag": "W/\"1a1-vdDFr5xugGjES09D01A3xMuA7xw\""
},
"body": {
"issuer": "http://localhost:35909", <--- HERE
"authorization_endpoint": "http://localhost:35909/tenant1/authorize",
"token_endpoint": "http://localhost:35909/tenant1/token",
"registration_endpoint": "http://localhost:35909/tenant1/register",
"response_types_supported": [
"code"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
],
"code_challenge_methods_supported": [
"S256"
],
"token_endpoint_auth_methods_supported": [
"none"
]
}
}
},Should this behavior be adjusted?
To Reproduce
Steps to reproduce the behavior:
- Run
metadata-var2ormetadata-var3conformance test with a working SDK and inspectchecks.json.
Expected behavior
I would expect the issuer field to contain the path component used to construct the AS metadata URL.