From 564e7db68e0055971868e503bf49f4c53545e349 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@lsst.org>
Date: Mon, 18 Nov 2024 17:15:51 -0800
Subject: [PATCH] Fix double slashes in openid-configuration URLs

Avoid double slashes in the endpoint URLs returned by
`/.well-known/openid-configuration`, fixing a bug introduced in
Gafaelfawr 12.0.0. The stringification of the base URL now always
includes a trailing slash for URLs with no path, which resulted
in a doubled slash and an invalid URL.
---
 changelog.d/20241118_171429_rra_DM_47646.md | 3 +++
 src/gafaelfawr/services/oidc.py             | 2 +-
 tests/handlers/oidc_test.py                 | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/20241118_171429_rra_DM_47646.md

diff --git a/changelog.d/20241118_171429_rra_DM_47646.md b/changelog.d/20241118_171429_rra_DM_47646.md
new file mode 100644
index 000000000..b6ca7921f
--- /dev/null
+++ b/changelog.d/20241118_171429_rra_DM_47646.md
@@ -0,0 +1,3 @@
+### Bug fixes
+
+- Avoid double slashes in the endpoint URLs returned by `/.well-known/openid-configuration`, fixing a bug introduced in Gafaelfawr 12.0.0.
diff --git a/src/gafaelfawr/services/oidc.py b/src/gafaelfawr/services/oidc.py
index ee9860f37..3e558a1bb 100644
--- a/src/gafaelfawr/services/oidc.py
+++ b/src/gafaelfawr/services/oidc.py
@@ -125,7 +125,7 @@ def get_jwks(self) -> JWKS:
 
     def get_openid_configuration(self) -> OIDCConfig:
         """Return the OpenID Connect configuration for the internal server."""
-        base_url = str(self._config.issuer)
+        base_url = str(self._config.issuer).rstrip("/")
         return OIDCConfig(
             issuer=base_url,
             authorization_endpoint=base_url + "/auth/openid/login",
diff --git a/tests/handlers/oidc_test.py b/tests/handlers/oidc_test.py
index 8338a89d2..9e0a774fe 100644
--- a/tests/handlers/oidc_test.py
+++ b/tests/handlers/oidc_test.py
@@ -866,7 +866,7 @@ async def test_well_known_oidc(
     r = await client.get("/.well-known/openid-configuration")
     assert r.status_code == 200
 
-    base_url = str(config.oidc_server.issuer)
+    base_url = str(config.oidc_server.issuer).rstrip("/")
     assert r.json() == {
         "issuer": base_url,
         "authorization_endpoint": base_url + "/auth/openid/login",