Unify issuer block parameters across DiscoveryController and IdToken

55728 · 55728 · commit 1494fb758eaf · 2026-04-05T17:33:02.000+09:00
The `issuer` configuration block received inconsistent parameters depending on the caller: - DiscoveryController passed `request` as the sole argument - IdToken passed `resource_owner, application` This made it impossible to write a single issuer block that works correctly in both contexts. Introduce `Doorkeeper::OpenidConnect.resolve_issuer` to centralize issuer resolution with a consistent interface: issuer do |resource_owner, application, request| request&.base_url || "https://default.example.com" end Backward compatibility is maintained via arity checks: - arity 0: called with no arguments - arity 1: called with `request` or `resource_owner` (legacy) - arity 2: called with `resource_owner, application` (generator default) - arity 3+: called with `resource_owner, application, request` (new) Closes #238
diff --git a/app/controllers/doorkeeper/openid_connect/discovery_controller.rb b/app/controllers/doorkeeper/openid_connect/discovery_controller.rb
@@ -130,11 +130,7 @@ def discovery_url_default_options
       end
 
       def issuer
-        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
-          Doorkeeper::OpenidConnect.configuration.issuer.call(request).to_s
-        else
-          Doorkeeper::OpenidConnect.configuration.issuer
-        end
+        Doorkeeper::OpenidConnect.resolve_issuer(request: request)
       end
 
       %i[authorization token revocation introspection userinfo jwks webfinger dynamic_client_registration].each do |endpoint|
diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb
@@ -66,6 +66,29 @@ def self.signing_key_normalized
       signing_key.export
     end
 
+    # Resolves the issuer value from the configuration, handling both
+    # static values and callable blocks with backward-compatible arity checks.
+    #
+    # @param resource_owner [Object, nil] the authenticated user (nil in discovery context)
+    # @param application [Object, nil] the OAuth application (nil in discovery context)
+    # @param request [ActionDispatch::Request, nil] the current request (nil in token context)
+    # @return [String] the issuer string
+    def self.resolve_issuer(resource_owner: nil, application: nil, request: nil)
+      issuer = configuration.issuer
+      return issuer.to_s unless issuer.respond_to?(:call)
+
+      case issuer.arity
+      when 0
+        issuer.call
+      when 1
+        issuer.call(request || resource_owner)
+      when 2
+        issuer.call(resource_owner, application)
+      else
+        issuer.call(resource_owner, application, request)
+      end.to_s
+    end
+
     Doorkeeper::GrantFlow.register(
       :id_token,
       response_type_matches: 'id_token',
diff --git a/lib/doorkeeper/openid_connect/id_token.rb b/lib/doorkeeper/openid_connect/id_token.rb
@@ -42,11 +42,10 @@ def as_jws_token
       private
 
       def issuer
-        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
-          Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
-        else
-          Doorkeeper::OpenidConnect.configuration.issuer
-        end
+        Doorkeeper::OpenidConnect.resolve_issuer(
+          resource_owner: @resource_owner,
+          application: @access_token.application
+        )
       end
 
       def subject
diff --git a/lib/generators/doorkeeper/openid_connect/templates/initializer.rb b/lib/generators/doorkeeper/openid_connect/templates/initializer.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 Doorkeeper::OpenidConnect.configure do
-  issuer do |resource_owner, application|
+  issuer do |resource_owner, application, request|
+    # Example implementation:
+    # request&.base_url || 'https://example.com'
     'issuer string'
   end
 
diff --git a/spec/controllers/discovery_controller_spec.rb b/spec/controllers/discovery_controller_spec.rb
@@ -136,6 +136,23 @@
       end
     end
 
+    context 'when issuer block has arity 3 with request' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do |_resource_owner, _application, request|
+            request.base_url
+          end
+        end
+      end
+
+      it 'passes the request object to the issuer block' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['issuer']).to eq 'http://test.host'
+      end
+    end
+
     context 'when grant_flows is configured with only client_credentials' do
       before { Doorkeeper.configure { grant_flows %w[client_credentials] } }
 
diff --git a/spec/lib/id_token_spec.rb b/spec/lib/id_token_spec.rb
@@ -73,6 +73,33 @@
         )
       end
     end
+
+    context 'when issuer block has arity 3' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do |resource_owner, application, _request|
+            "#{resource_owner.id}-#{application&.uid}"
+          end
+
+          resource_owner_from_access_token do |access_token|
+            User.find_by(id: access_token.resource_owner_id)
+          end
+
+          auth_time_from_resource_owner do |resource_owner|
+            resource_owner.current_sign_in_at
+          end
+
+          subject do |resource_owner|
+            resource_owner.id
+          end
+        end
+      end
+
+      it 'passes resource_owner and application to the issuer block' do
+        claims = subject.claims
+        expect(claims[:iss]).to eq "#{user.id}-#{access_token.application.uid}"
+      end
+    end
   end
 
   describe '#as_json' do
diff --git a/spec/lib/openid_connect_spec.rb b/spec/lib/openid_connect_spec.rb
@@ -176,4 +176,110 @@
       end
     end
   end
+
+  describe '.resolve_issuer' do
+    let(:resource_owner) { double('ResourceOwner') }
+    let(:application) { double('Application') }
+    let(:request) { double('Request', base_url: 'https://example.com') }
+
+    context 'when issuer is a static string' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer 'https://static-issuer.example.com'
+        end
+      end
+
+      it 'returns the static string' do
+        expect(subject.resolve_issuer).to eq 'https://static-issuer.example.com'
+      end
+    end
+
+    context 'when issuer block has arity 0' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do
+            'https://zero-arity.example.com'
+          end
+        end
+      end
+
+      it 'calls the block without arguments' do
+        expect(subject.resolve_issuer).to eq 'https://zero-arity.example.com'
+      end
+    end
+
+    context 'when issuer block has arity 1' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do |request_or_owner|
+            "issuer-#{request_or_owner.class.name}"
+          end
+        end
+      end
+
+      it 'passes request when called from discovery context' do
+        result = subject.resolve_issuer(request: request)
+        expect(result).to include 'RSpec::Mocks::Double'
+      end
+
+      it 'passes resource_owner when called from token context' do
+        result = subject.resolve_issuer(resource_owner: resource_owner)
+        expect(result).to include 'RSpec::Mocks::Double'
+      end
+
+      it 'prefers request over resource_owner when both are present' do
+        result = subject.resolve_issuer(resource_owner: resource_owner, request: request)
+        expect(result).to eq subject.resolve_issuer(request: request)
+      end
+    end
+
+    context 'when issuer block has arity 2' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do |resource_owner, application|
+            "owner-#{resource_owner&.class&.name}-app-#{application&.class&.name}"
+          end
+        end
+      end
+
+      it 'passes resource_owner and application' do
+        result = subject.resolve_issuer(resource_owner: resource_owner, application: application)
+        expect(result).to include('RSpec::Mocks::Double').twice
+      end
+
+      it 'passes nils from discovery context' do
+        result = subject.resolve_issuer(request: request)
+        expect(result).to eq 'owner--app-'
+      end
+    end
+
+    context 'when issuer block has arity 3' do
+      before do
+        Doorkeeper::OpenidConnect.configure do
+          issuer do |resource_owner, application, request|
+            if request
+              request.base_url
+            else
+              "owner-#{resource_owner&.class&.name}"
+            end
+          end
+        end
+      end
+
+      it 'passes all three arguments from discovery context' do
+        result = subject.resolve_issuer(request: request)
+        expect(result).to eq 'https://example.com'
+      end
+
+      it 'passes all three arguments from token context' do
+        result = subject.resolve_issuer(resource_owner: resource_owner, application: application)
+        expect(result).to include 'RSpec::Mocks::Double'
+      end
+
+      it 'passes all three arguments when all are present' do
+        result = subject.resolve_issuer(resource_owner: resource_owner, application: application, request: request)
+        expect(result).to eq 'https://example.com'
+      end
+    end
+  end
 end
