allow alternative issuer in NewProvider

pace · Mar 4, 2025 · 1e856d5 · 1e856d5
1 parent 4b5f82d
commit 1e856d5
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/oidc/oidc.go b/oidc/oidc.go
@@ -235,7 +235,7 @@ func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
 // should use [ProviderConfig] instead.
 //
 // See: https://openid.net/specs/openid-connect-discovery-1_0.html
-func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
+func NewProvider(ctx context.Context, issuer string, alternativeIssuer ...string) (*Provider, error) {
 	wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
 	req, err := http.NewRequest("GET", wellKnown, nil)
 	if err != nil {
@@ -266,8 +266,10 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 	if !skipIssuerValidation {
 		issuerURL = issuer
 	}
-	if p.Issuer != issuerURL && !skipIssuerValidation {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
+	alternativeIssuer = append(alternativeIssuer, issuer)
+	issuerStr := strings.Join(alternativeIssuer, " ")
+	if !strings.Contains(issuerStr, p.Issuer) {
+		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected one of %q got %q", issuerStr, p.Issuer)
 	}
 	var algs []string
 	for _, a := range p.Algorithms {