lhotari commented on PR #25052: URL: https://github.com/apache/pulsar/pull/25052#issuecomment-3655090801
> However, RFC 8414 defines `/.well-known/oauth-authorization-server` as the default, and some users may want to configure a different path. > https://datatracker.ietf.org/doc/html/rfc8414#section-3 > This PR makes the authorization server metadata path configurable @izumo27 It seems that according to RFC 8414, the logic is also different than what there is in the current implementation. https://www.rfc-editor.org/rfc/rfc8414.html#section-3.1 More specifically this part: > If the issuer identifier value contains a path component, any > terminating "/" MUST be removed before inserting "/.well-known/" and > the well-known URI suffix between the host component and the path > component. The client would make the following request when the > issuer identifier is "https://example.com/issuer1"; and the well-known > URI suffix is "oauth-authorization-server" to obtain the metadata, > since the issuer identifier contains a path component: > > GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1 > Host: example.com Instead of appending `.well-known/oauth-authorization-server` to the path, the logic should be to prefix the path with `/.well-known/oauth-authorization-server`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
