Webfinger href does not match openid-configuration issuer

Summary

Webfinger is used for proof of domain ownership and OIDC issuer url discovery. When using OIDC discovery, the standard states that the href-value MUST be identical to the issuer value returned by WebFinger.

Unfortunately this is not the case with gitlabs current implementation.

Steps to reproduce

Check .well-known/webfinger for href and .well-known/openid-configuration for issuer.

Example Project

https://gitlab.com/.well-known/webfinger?resource=example@example.org

https://gitlab.com/.well-known/openid-configuration

What is the current bug behavior?

The href argument has a trailiing slash and the issuer argument does not. Therefor they are not matching as required.

What is the expected correct behavior?

Both arguments should either have a trailing slash or should not have a trailing slash.

Possible fixes

Would welcome guidance on this. From what I understand webfinger is provided through doorkeeper_gem? And there is some refactoring on the way in #423079.

Edited Sep 07, 2023 by Felix Oertel