Multi-Tenant Issuer Validation Issue

[MikeSpringall]

Not sure if this is by design or not but the validateIssuer() method in the OpenIDConnectClient class strictly matches the iss claim against a single issuer. This works well for single-tenant applications but causes problems in a multi-tenant environment, where tokens are issued with different tenant IDs in the iss claim?

Currently I'm having to put a workaround in place to handle this.

[DeepDiver1975]

You have basically two options:

• subclass the client and implement the protected method the way you like -

  OpenID-Connect-PHP/src/OpenIDConnectClient.php

  Line 1177 in 9af21bd

  protected function validateIssuer(string $iss): bool

• use setIssuerValidator to inject your own code -

  OpenID-Connect-PHP/src/OpenIDConnectClient.php

  Line 1534 in 9af21bd

  public function setIssuerValidator(callable $issuerValidator) {