SERVER-92329 Support issuers with trailing slashes in OIDC (#25217)

GitOrigin-RevId: 8b812e036b4f99f1c0ae17e1452b8b251a1f5e4d

Author: adriangzz

src/mongo/db/auth/oauth_discovery_factory.cpp

@@ -46,6 +46,13 @@ OAuthAuthorizationServerMetadata OAuthDiscoveryFactory::acquire(StringData issue
     // '.well-known/oauth-authorization-server'. However, that endpoint uses a different URL
     // construction scheme which doesn't seem to work with any of the authorization servers we've
     // tested.
+
+    // Some issuers URL will end with '/', we should remove it since we add it when forming the
+    // configuration endpoint.
+    if (issuer.endsWith("/"_sd)) {
+        issuer = issuer.substr(0, issuer.size() - 1);
+    }
+
     auto openIDConfiguationEndpoint = "{}/.well-known/openid-configuration"_format(issuer);
 
     DataBuilder results = _client->get(openIDConfiguationEndpoint);

src/mongo/db/auth/oauth_discovery_factory_test.cpp

@@ -149,6 +149,20 @@ TEST_F(OAuthDiscoveryFactoryFixture, LookupsMustBeSecure) {
     ASSERT_THROWS(factory.acquire("http://idp.example"), DBException);
 }
 
+TEST_F(OAuthDiscoveryFactoryFixture, DiscoveryIssuerWithFwdSlash) {
+    auto defaultMetadata = makeDefaultMetadata();
+
+    std::unique_ptr<MockHttpClient> client = std::make_unique<MockHttpClient>();
+    client->expect(
+        {HttpClient::HttpMethod::kGET, "https://idp.example/.well-known/openid-configuration"},
+        {200, {}, defaultMetadata.toBSON().jsonString()});
+
+    OAuthDiscoveryFactory factory(std::move(client));
+    OAuthAuthorizationServerMetadata metadata = factory.acquire("https://idp.example/");
+
+    ASSERT_EQ(defaultMetadata, metadata);
+}
+
 TEST_F(OAuthDiscoveryFactoryFixture, IssuerAndJWKSUriMustBeSecure) {
     auto defaultMetadata = makeDefaultMetadata();