Every url in discovery document has to start with the issuer url - but why?

[rbkrabbe]

When using strictDiscoveryDocumentValidation (the default), all urls in the discovery document must start with the issuer url, but this does not seem to be a part of any OAuth, or OpenID specification that I can find. Why is this a requirement? It is incompatible wth eg. Googles OpenID configuration: https://accounts.google.com/.well-known/openid-configuration.

[jaco-terbraak]

It's also incompatible with WSO2-IS.

[jeroenheijmans]

Based on what I know about the library, and digging through the commits that introduced that option, I would say that it's a little overzealous and you can safely set the strictDiscoveryDocumentValidation option to false for Google OpenID and WSO2-IS, and move on.

Assuming I'm right, we could leave this GH issue open as a request to add this note (that it can be safely set to false for some IDServers) to the property's documentation. But that's probably something only the original author / maintainer can answer for us.

[manfredsteyer]

Yes, you are right. You can deactivate it and it isn't demanded by the specs. It's more or less a best practice as it prevents a specific attack where someone manages to fake a discovery document.

[cconcannon]

The discovery document for PingOne relying parties also fails the validation check, and as such requires setting strictDiscoveryDocumentValidation = false;

I'm opening a PR to reflect this configuration in the "Getting Started" section, as it seems relevant enough to multiple ID Providers and it took a little bit of digging to find