We just upgraded to the latest version of Tyk Gateway and Dashboard. With the new UI on the dashboard, when selecting the Open ID Connect authentication, it restricts the entry to just a hostmame. https://auth.server.com is fine and auth.server.com but not https://auth.server.com/additional/path. This appears to be a front-end only validation as the APIs let you save the latter.
We use Keycloak as our IDP. Keycloak iss is similar to my last example:
{
"jti": "3bee9b43-2390-4f6f-aa1f-9dcf9c7a9531",
"exp": 1513107209,
"nbf": 0,
"iat": 1513020809,
"iss": "https://login.xxxxx.com/auth/realms/mobile",
"aud": "mobile",
"sub": "2b73d5f2-4b8d-4016-9701-067ff10110a9",
"typ": "Bearer",
"azp": "mobile",
... etc ...
}
I believe the Dashboard validation is a bug.
Per the OIC standard:
OpenID Connect supports multiple Issuers per Host and Port combination. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
OpenID Connect treats the path component of any Issuer URI as being part of the Issuer Identifier. For instance, the subject “1234” with an Issuer Identifier of “https://example.com” is not equivalent to the subject “1234” with an Issuer Identifier of “https://example.com/sales”.