Skip to content

OIDC openid-configuration issuer URL change breaks existing logins #35830

New issue
New issue
Closed
#35915
Closed
OIDC openid-configuration issuer URL change breaks existing logins#35830
#35915
Labels
type/bug
@Javex

Description

@Javex
Javex
opened on Nov 3, 2025

Description

I recently updated to 1.25.0 and noticed that using Gitea as my OIDC Identity Provider broke since the issuer URL changed. Specifically, I use my Gitea instance to log into Tailscale which now reports this:

Tailscale received the following error trying to contact your OIDC provider: auth.OIDC("https://git.mydomain/"): oidc: issuer did not match the issuer returned by provider, expected "https://git.mydomain/" got "https://git.mydomain"

Checking the source code I found that commit 3533263 (Pull Request #34966) caused a change in behaviour. Previously, the issuer was set by response.Issuer = setting.AppURL but it's now set through ctx.Data["OidcIssuer"] = jwtRegisteredClaims.Issuer

That function looks like this:

func NewJwtRegisteredClaimsFromUser(clientID string, grantUserID int64, exp *jwt.NumericDate) jwt.RegisteredClaims { // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig // The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration // to retrieve the configuration information. This MUST also be identical to the "iss" Claim value in ID Tokens issued from this Issuer. // * https://accounts.google.com/.well-known/openid-configuration // * https://github.com/login/oauth/.well-known/openid-configuration return jwt.RegisteredClaims{ Issuer: strings.TrimSuffix(setting.AppURL, "/"), Audience: []string{clientID}, Subject: strconv.FormatInt(grantUserID, 10), ExpiresAt: exp,	} }

It explicitly includes a TrimSuffix call that removes the trailing slash that Tailscale expects on login.

I'm not sure if this counts as a bug, but I didn't see it as a breaking change on https://blog.gitea.com/release-of-1.25.0/ so it's probably worth either removing this new logic (i.e. don't trim the trailing / from the issuer URL) or updating the announcement to clarify that some OIDC integrations might break and should first update their issuer URL.

Gitea Version

1.25.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea Helm chart on k8s, but with updated image tag to run 1.25.0

Database

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions