<![CDATA[Tenant Issuer configuration might not follow the OIDC specification]]>I'm not sure if this qualifies as a bug or a documentation issue (or neither), but there's a potential problem with the advice when setting up a tenant.

Under the tenant settings, you set the token issuer - and it advises you to use the FQDN of your domain. The example given is "fusionauth.io". This issuer winds up in the OIDC Autodiscovery config and I believe the "iss" field of the ID Token. So, if you set it to "fusionauth.io" you'll wind up with this:

{
  ...
  "issuer" : "fusionauth.io",
  
}

Issuer, according to the spec (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata), must include the scheme:

REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

So, that breaks some OIDC Clients rhat strictly adhere to the spec (I tried it with npm's openid-client but there are likely others).

The spec for the "iss" stanza of ID tokens also needs the scheme: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Related point, if you use the Tenant's autodiscovery URL, e.g. https://fusionauth.io/{tentant_id}/.well-known/openid-configuration, OIDC clients will generally expect the issuer to include the {tenant_id} as well and try to validate against that. Here's an example from an Okta dev tenant: https://dev-06212286.okta.com/oauth2/ausmf0ocf2mJ2g4Yq5d7/.well-known/openid-configuration

The docs (https://fusionauth.io/docs/get-started/core-concepts/tenants) don't mention any of this - just says FQDN (which does not include a scheme), so while you can configure your Tenant appropriately it's fairly easy to misconfigure it. Might be worth mentioning this somewhere or validating that the issuer (if possible) contains the scheme.

I don't actually know if that was present in earlier drafts of the OIDC spec.

]]>https://fusionauth.io/community/forum/topic/2854/tenant-issuer-configuration-might-not-follow-the-oidc-specificationRSS for NodeTue, 21 Apr 2026 14:28:35 GMTTue, 28 Jan 2025 23:17:09 GMT60<![CDATA[Reply to Tenant Issuer configuration might not follow the OIDC specification on Mon, 17 Mar 2025 13:42:31 GMT]]>@maciej-wisniowski Looks like you are getting some traction on the issue. Thanks for taking the time to work through this and submit the issue to make FusionAuth better.

]]>https://fusionauth.io/community/forum/post/7898https://fusionauth.io/community/forum/post/7898Mon, 17 Mar 2025 13:42:31 GMT<![CDATA[Reply to Tenant Issuer configuration might not follow the OIDC specification on Fri, 14 Mar 2025 08:32:53 GMT]]>@cabaral109 @mark-robustelli after spending few hours debugging issue with openid-client I found this topic and lack of the protocol part in the issuer field to be a reason. I've just submitted the issue at: https://github.com/FusionAuth/fusionauth-issues/issues/3021

]]>https://fusionauth.io/community/forum/post/7887https://fusionauth.io/community/forum/post/7887Fri, 14 Mar 2025 08:32:53 GMT<![CDATA[Reply to Tenant Issuer configuration might not follow the OIDC specification on Thu, 20 Feb 2025 02:38:47 GMT]]>@cthos

@cthos said in Tenant Issuer configuration might not follow the OIDC specification:

I'm not sure if this qualifies as a bug or a documentation issue (or neither), but there's a potential problem with the advice when setting up a tenant.

Under the tenant settings, you set the token issuer - and it advises you to use the FQDN of your domain. The example given is "fusionauth.io". This issuer winds up in the OIDC Autodiscovery config and I believe the "iss" field of the ID Token. So, if you set it to "fusionauth.io" you'll wind up with this:

{
  ...
  "issuer" : "fusionauth.io",
  
}

Issuer, according to the spec (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata fnaf)

, must include the scheme:

REQUIRED. URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

So, that breaks some OIDC Clients rhat strictly adhere to the spec (I tried it with npm's openid-client but there are likely others).

The spec for the "iss" stanza of ID tokens also needs the scheme: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

The current documentation mentions FQDN (Fully Qualified Domain Name) without explicitly stating the need for a scheme. This could lead to misconfigurations if users are unaware that the issuer should include the scheme. It would be beneficial to update the documentation to clarify that the issuer must include both the scheme and the tenant ID. This could help prevent common setup issues.

]]>https://fusionauth.io/community/forum/post/7853https://fusionauth.io/community/forum/post/7853Thu, 20 Feb 2025 02:38:47 GMT<![CDATA[Reply to Tenant Issuer configuration might not follow the OIDC specification on Thu, 20 Feb 2025 14:47:19 GMT]]>@cthos Thanks for the feedback. Since it does appear that you can configure as required, I'm not sure this constitutes a bug. However if it is confusing to you it is likely to others as well. It may be worth opening an issue for the dev team to take a look at.

]]>https://fusionauth.io/community/forum/post/7797https://fusionauth.io/community/forum/post/7797Thu, 20 Feb 2025 14:47:19 GMT