providers/oauth2: make iss field configurable

authentik/providers/oauth2/api.py

@@ -27,6 +27,7 @@ class OAuth2ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "redirect_uris",
             "sub_mode",
             "property_mappings",
+            "issuer_mode",
             "verbose_name",
             "verbose_name_plural",
         ]

authentik/providers/oauth2/forms.py

@@ -53,14 +53,15 @@ class OAuth2ProviderForm(forms.ModelForm):
             "client_type",
             "client_id",
             "client_secret",
-            "response_type",
             "token_validity",
-            "include_claims_in_id_token",
             "jwt_alg",
+            "response_type",
+            "property_mappings",
             "rsa_key",
             "redirect_uris",
             "sub_mode",
-            "property_mappings",
+            "include_claims_in_id_token",
+            "issuer_mode",
         ]
         widgets = {
             "name": forms.TextInput(),

authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py

@@ -0,0 +1,28 @@
+# Generated by Django 3.1.4 on 2020-12-27 13:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0007_auto_20201016_1107"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="issuer_mode",
+            field=models.TextField(
+                choices=[
+                    ("global", "Same identifier is used for all providers"),
+                    (
+                        "per_provider",
+                        "Each provider has a different issuer, based on the application slug.",
+                    ),
+                ],
+                default="per_provider",
+                help_text="Configure how the issuer field of the ID Token should be filled.",
+            ),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -70,6 +70,15 @@ class SubModes(models.TextChoices):
     )
 
 
+class IssuerMode(models.TextChoices):
+    """Configure how the `iss` field is created."""
+
+    GLOBAL = "global", _("Same identifier is used for all providers")
+    PER_PROVIDER = "per_provider", _(
+        "Each provider has a different issuer, based on the application slug."
+    )
+
+
 class ResponseTypes(models.TextChoices):
     """Response Type required by the client."""
 
@@ -193,6 +202,13 @@ class OAuth2Provider(Provider):
             )
         ),
     )
+    issuer_mode = models.TextField(
+        choices=IssuerMode.choices,
+        default=IssuerMode.PER_PROVIDER,
+        help_text=_(
+            ("Configure how the issuer field of the ID Token should be filled.")
+        ),
+    )
 
     rsa_key = models.ForeignKey(
         CertificateKeyPair,
@@ -254,6 +270,8 @@ class OAuth2Provider(Provider):
 
     def get_issuer(self, request: HttpRequest) -> Optional[str]:
         """Get issuer, based on request"""
+        if self.issuer_mode == IssuerMode.GLOBAL:
+            return request.build_absolute_uri("/")
         try:
             mountpoint = AuthentikProviderOAuth2Config.mountpoints[
                 "authentik.providers.oauth2.urls"

swagger.yaml

@@ -7887,6 +7887,13 @@ definitions:
           type: string
           format: uuid
         uniqueItems: true
+      issuer_mode:
+        title: Issuer mode
+        description: Configure how the issuer field of the ID Token should be filled.
+        type: string
+        enum:
+          - global
+          - per_provider
       verbose_name:
         title: Verbose name
         type: string