Google OIDC wrong issuer url

Hello there!

I’ve no luck configuring OIDC with Google auth.
As you can see, I have a valid link for the issuer(oh, and check Authorized Actions on Auth Method’s Collections section please, accountsS looks like a typo).

➜  ~ boundary auth-methods read -id amoidc_45t1cB1Sut     

Auth Method information:
  Created Time:           Mon, 19 Apr 2021 06:05:15 UTC
  ID:                     amoidc_45t1cB1Sut
  Is Primary For Scope:   false
  Name:                   google
  Type:                   oidc
  Updated Time:           Mon, 19 Apr 2021 06:13:59 UTC
  Version:                2

    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:

  Authorized Actions on Auth Method's Collections:

    api_url_prefix:       http://localhost:9200
    callback_url:         http://localhost:9200/v1/auth-methods/amoidc_45t1cB1Sut:authenticate:callback
    client_secret_hmac:   blah-kSdA
    max_age:              0
    signing_algorithms:   [RS256]
    state:                inactive

But when I try to set it as active, I see the error.

➜  ~ boundary auth-methods change-state oidc -id amoidc_45t1cB1Sut -state active-public
Error from controller when performing change-state on oidc-type auth method

Error information:
  Kind:                InvalidArgument
  Message:             Unable to change auth method state: oidc.(Repository).MakePublic: oidc.(Repository).transitionAuthMethodTo: oidc.(Repository).ValidateDiscoveryInfo: oidc.convertToProvider: AuthMethod cannot be converted to a valid OIDC Provider: parameter violation: error #100: NewProvider: unable to create provider: oidc: issuer
  did not match the issuer returned by provider, expected "" got "".
  Status:              400
  context:             Error from controller when performing change-state on oidc-type auth method
1 Like

I think you may have an extra trailing / in the issuer you’ve configured.

Yep, you are right. After a new try, I skip these steps:

boundary auth-methods update oidc -id amoidc_45t1cB1Sut -issuer "" -max-age 0

And it works now.

This a little confusing because I tried to use what it is expected for )))

Happy to hear it’s working for you!

FYI, Boundary validates the issuer against the OIDC discovery document published by the provider. In this case, the auth method’s issuer didn’t match the discovery document, so Boundary raised an error.

Thank you for the clarification!