From 0fab20e67a4efc9d517cb43862dde906aa627fe6 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 01:04:57 +0200
Subject: [PATCH] fix: append .well-known/openid-configuration to issuerUri in
 token exchanger
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OidcTokenExchanger fetched the discovery document from the issuerUri
as-is, but the database stores the issuer URI (e.g. /oidc), not the
full discovery URL. Logto returns 404 for the bare issuer path.
SecurityConfig already appended the well-known suffix — now the token
exchanger does the same.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../cameleer3/server/app/security/OidcTokenExchanger.java | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 058e1363..4110cdeb 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -198,10 +198,10 @@ public class OidcTokenExchanger {
         if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
             synchronized (this) {
                 if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
-                    // Fetch the discovery document from the URI as-is — do not append
-                    // .well-known/openid-configuration automatically, the user provides
-                    // the complete URL.
-                    URL discoveryUrl = new URI(issuerUri).toURL();
+                    String discoveryPath = issuerUri.endsWith("/")
+                            ? issuerUri + ".well-known/openid-configuration"
+                            : issuerUri + "/.well-known/openid-configuration";
+                    URL discoveryUrl = new URI(discoveryPath).toURL();
                     try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                         JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                 .parse(in);