Missing trailing '/' in the issuer url in the access token

[RoseECooper]

Hi, I'm integrating an FTS instance with the SKA prototyping IAM instance, https://ska-iam.stfc.ac.uk/ and have encountered an issue where the issuer in the well-known config is listed as: curl -s -X GET https://ska-iam.stfc.ac.uk/.well-known/openid-configuration | jq .issuer "https://ska-iam.stfc.ac.uk/"

When decoding the token generated by oidc-agent the issuer is given as "iss": "https://ska-iam.stfc.ac.uk" which doesn't have the trailing'/'. This mismatch in issuer url causes FTS to not recognise the token issuer being used and reject any FTS transfer submissions. A temporary fix for this for the FTS side has been made by Mihai, however we're not sure what is actually causing this mismatch in the first place.

Would it be possible to get some help with this?

Thanks!

[rmiccoli]

Hi, the problem may be caused during registration of the oidc client. After the command oidc-gen -w device <client-name>, you have to specify the issuer; it must end with the trailing '/', otherwise you'll get the issuer without the '/' in the access token. Is this the case?

[RoseECooper]

Hi, I've included the trailing '/' when specifying the issuer but it is still missing from the token that is generated.

[federicaagostini]

Hi, the iss value in the access token is set by IAM configuration. It should work as you expect if you set

iam:
  issuer: https://ska-iam.stfc.ac.uk/

Please let us know if it works for you.

[federicaagostini]

Closing since the issue should be solved with the above configuration. Please reopen it if this is not the case.