For configuring OIDC for Oracle IDCS we are using the Issuer URL https:/idcs-xxxx.identity.oraclecloud.com/
which is not working, as when I activate the OIDC auth method it is giving an error.
my assumption is Issuer URL https:/idcs-xxxx.identity.oraclecloud.com/ is not getting redirected to https://idcs-xxxx.identity.oraclecloud.com/.well-known/openid-configuration
sorry you’re having “issues”. based on what you’ve posted, my guess is that the issuer from the discovery doc doesn’t match the issuer used to lookup the discovery document. Currently, boundary doesn’t support skipping the verification and the issuer used for discovery has to match the issuer in the discovery document.
I’m not sure at the moment how/when we might look into allowing this sort of non-spec complaint workflow. I’ve opened an issue: unable to configure oidc auth method if issuer doesn't match discovery document issuer. · Issue #1935 · hashicorp/boundary · GitHub
what should be the issuer url for IDCS we are using
"https://MYTENTANT.identity.oraclecloud.com/ " which is giving error when we are activating this oidc auth
the OIDC spec requires the issuer in the discovery doc for the provider to match issuer url used to retrieve the discovery doc. In this case, you’re using "https://MYTENTANT.identity.oraclecloud.com/ " to retrieve the correct discovery doc, but in that discovery doc the issuer is defined as “https://identity.oraclecloud.com” which unfortunately doesn’t match with the OIDC spec requirements.
Unfortunately, boundary currently requires providers to adhere to the OIDC spec and we’d have to build some sort of mechanism in boundary to support non-spec complaint providers… at this point, I’m not sure if/when we might build in this sort of non-spec OIDC support. I have opened issue #1935 to put it on the radar as a known issue.