[PR #995] [MERGED] fix(oidc): normalise trailing slash in issuer comparison to fix Authentik login #1145

New issue

Closed

opened 2026-05-06 12:35:19 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:35:19 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/maziggy/bambuddy/pull/995
Author: @netscout2001
Created: 4/16/2026
Status: ✅ Merged
Merged: 4/16/2026
Merged by: @maziggy

Base: dev ← Head: feature/2fa-oidc-authentication

📝 Commits (2)

03fa718 fix(oidc): normalise trailing slash on both sides of issuer comparison
763092f Merge branch 'dev' into feature/2fa-oidc-authentication

📊 Changes

2 files changed (+127 additions, -6 deletions)

View changed files

📝 backend/app/api/routes/mfa.py (+9 -6)
📝 backend/tests/integration/test_mfa_api.py (+118 -0)

📄 Description

Follow-up to #985.

Problem

Authentik includes a trailing slash in the JWT iss claim
(<https://authentik.example.com/application/o/app/>) while the discovery
document issuer field may omit it, or vice-versa. PyJWT's built-in issuer
validation does an exact string comparison, causing InvalidIssuerError and
redirecting the user back to the login page with token_validation_failed.

Fix

Disable PyJWT's issuer= parameter and compare both sides after
rstrip('/') so the check is slash-agnostic.

Includes a regression test: provider configured without trailing slash,
JWT iss claim with trailing slash → login succeeds.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/maziggy/bambuddy/pull/995 **Author:** [@netscout2001](https://github.com/netscout2001) **Created:** 4/16/2026 **Status:** ✅ Merged **Merged:** 4/16/2026 **Merged by:** [@maziggy](https://github.com/maziggy) **Base:** `dev` ← **Head:** `feature/2fa-oidc-authentication` --- ### 📝 Commits (2) - [`03fa718`](https://github.com/maziggy/bambuddy/commit/03fa7182119ecf58995f8ede11ab94997a4297d1) fix(oidc): normalise trailing slash on both sides of issuer comparison - [`763092f`](https://github.com/maziggy/bambuddy/commit/763092f6c57789d045b89047bc519dcac337c117) Merge branch 'dev' into feature/2fa-oidc-authentication ### 📊 Changes **2 files changed** (+127 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `backend/app/api/routes/mfa.py` (+9 -6) 📝 `backend/tests/integration/test_mfa_api.py` (+118 -0) </details> ### 📄 Description Follow-up to #985. ## Problem Authentik includes a trailing slash in the JWT `iss` claim (`<https://authentik.example.com/application/o/app/`>) while the discovery document `issuer` field may omit it, or vice-versa. PyJWT's built-in issuer validation does an exact string comparison, causing `InvalidIssuerError` and redirecting the user back to the login page with `token_validation_failed`. ## Fix Disable PyJWT's `issuer=` parameter and compare both sides after `rstrip('/')` so the check is slash-agnostic. Includes a regression test: provider configured without trailing slash, JWT `iss` claim with trailing slash → login succeeds. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>