fix(auth): surface exact OIDC issuer mismatches (#1666)

* fix(auth): surface exact OIDC issuer mismatches * fix(auth): align issuer mismatch hint with tests --------- Co-authored-by: SureBot <sure-bot@we-promise.com>
2026-05-07 21:04:12 +00:00 · 2026-05-05 00:47:45 +02:00
parent a108e6501e
commit 0954200ad4
3 changed files with 61 additions and 7 deletions
--- a/app/javascript/controllers/admin_sso_form_controller.js
+++ b/app/javascript/controllers/admin_sso_form_controller.js
@@ -111,10 +111,21 @@ export default class extends Controller {
      if (response.ok) {
        const data = await response.json()
        if (data.issuer) {
-          // Valid OIDC discovery endpoint
-          issuerInput.classList.remove('border-yellow-300', 'border-red-300')
-          issuerInput.classList.add('border-green-300')
-          this.showValidationMessage(issuerInput, 'Valid OIDC issuer', 'success')
+          if (data.issuer === issuer) {
+            issuerInput.classList.remove('border-yellow-300', 'border-red-300', 'border-amber-300')
+            issuerInput.classList.add('border-green-300')
+            this.showValidationMessage(issuerInput, 'Valid OIDC issuer', 'success')
+          } else {
+            issuerInput.classList.remove('border-yellow-300', 'border-green-300')
+            issuerInput.classList.add('border-amber-300')
+
+            const trailingSlashOnly = data.issuer.replace(/\/$/, '') === issuer.replace(/\/$/, '')
+            const message = trailingSlashOnly
+              ? `Issuer mismatch: discovery returned ${data.issuer}. This is usually a trailing slash mismatch, so copy the issuer exactly as returned.`
+              : `Issuer mismatch: discovery returned ${data.issuer}. Copy the issuer exactly as returned by the provider.`
+
+            this.showValidationMessage(issuerInput, message, 'warning')
+          }
        } else {
          throw new Error('Invalid discovery response')
        }