OIDC Authentication Issues with Auth0 and Trailing Slash in Issuer URL

If you're experiencing issues setting up OIDC authentication with Auth0 where you receive an error about issuer mismatch related to trailing slashes, this is a known compatibility issue between Spacelift's OIDC implementation and Auth0's issuer URL format.

The Issue

You may encounter an error similar to:

oidc: issuer did not match the issuer returned by provider, expected "https://your-domain.com" got "https://your-domain.com/"

This occurs because Auth0 includes a trailing slash in their issuer URL in the .well-known/openid-configuration document, while Spacelift's OIDC library expects the issuer URL to match exactly without the trailing slash.

Why This Happens

Spacelift uses the go-oidc library which strictly enforces that the issuer value returned must be identical to the issuer URL used to retrieve the configuration information. Auth0 and this library have different interpretations of the OpenID Connect specification regarding trailing slashes in issuer URLs.

Potential Workarounds

You can try the following approaches with your Auth0 configuration:

1. Adjust the issuer value: Check if Auth0 allows you to modify the issuer value in the .well-known configuration to remove the trailing slash

2. Use a custom domain: Create a custom domain or subdomain in Auth0 where the issuer and well-known URL are aligned without the trailing slash

Alternative Solution

If the above workarounds are not feasible with your Auth0 setup, you can use SAML authentication instead of OIDC as an alternative single sign-on method.

Future Considerations

This issue would require Spacelift to reimplement OIDC using a different library, which is not currently prioritized for development. If this feature is important to you, consider submitting a request through the Spacelift feedback portal where the community can upvote the request to help prioritize it.