auth: add required issuer to OAuth (#152385)

2026-03-21 02:03:27 +01:00 · 2025-10-14 14:50:38 +02:00
parent 26fec2fdcc
commit 1237010b4a
2 changed files with 22 additions and 12 deletions
--- a/homeassistant/components/auth/login_flow.py
+++ b/homeassistant/components/auth/login_flow.py
@@ -136,17 +136,22 @@ class WellKnownOAuthInfoView(HomeAssistantView):
            url_prefix = get_url(hass, require_current_request=True)
        except NoURLAvailableError:
            url_prefix = ""
-        return self.json(
-            {
-                "authorization_endpoint": f"{url_prefix}/auth/authorize",
-                "token_endpoint": f"{url_prefix}/auth/token",
-                "revocation_endpoint": f"{url_prefix}/auth/revoke",
-                "response_types_supported": ["code"],
-                "service_documentation": (
-                    "https://developers.home-assistant.io/docs/auth_api"
-                ),
-            }
-        )
+
+        metadata = {
+            "authorization_endpoint": f"{url_prefix}/auth/authorize",
+            "token_endpoint": f"{url_prefix}/auth/token",
+            "revocation_endpoint": f"{url_prefix}/auth/revoke",
+            "response_types_supported": ["code"],
+            "service_documentation": (
+                "https://developers.home-assistant.io/docs/auth_api"
+            ),
+        }
+
+        # Add issuer only when we have a valid base URL (RFC 8414 compliance)
+        if url_prefix:
+            metadata["issuer"] = url_prefix
+
+        return self.json(metadata)


 class AuthProvidersView(HomeAssistantView):
--- a/tests/components/auth/test_login_flow.py
+++ b/tests/components/auth/test_login_flow.py
@@ -374,7 +374,7 @@ async def test_login_exist_user_ip_changes(

@pytest.mark.usefixtures("current_request_with_host")  # Has example.com host
@pytest.mark.parametrize(
-    ("config", "expected_url_prefix"),
+    ("config", "expected_url_prefix", "extra_response_data"),
    [
        (
            {
@@ -383,6 +383,7 @@ async def test_login_exist_user_ip_changes(
                "external_url": "https://example.com",
            },
            "https://example.com",
+            {"issuer": "https://example.com"},
        ),
        (
            {
@@ -391,6 +392,7 @@ async def test_login_exist_user_ip_changes(
                "external_url": "https://other.com",
            },
            "https://example.com",
+            {"issuer": "https://example.com"},
        ),
        (
            {
@@ -399,6 +401,7 @@ async def test_login_exist_user_ip_changes(
                "external_url": "https://again.com",
            },
            "",
+            {},
        ),
    ],
    ids=["external_url", "internal_url", "no_match"],
@@ -408,6 +411,7 @@ async def test_well_known_auth_info(
    aiohttp_client: ClientSessionGenerator,
    config: dict[str, str],
    expected_url_prefix: str,
+    extra_response_data: dict[str, str],
 ) -> None:
    """Test the well-known OAuth authorization server endpoint with different URL configurations."""
    await async_process_ha_core_config(hass, config)
@@ -417,6 +421,7 @@ async def test_well_known_auth_info(
    )
    assert resp.status == 200
    assert await resp.json() == {
+        **extra_response_data,
        "authorization_endpoint": f"{expected_url_prefix}/auth/authorize",
        "token_endpoint": f"{expected_url_prefix}/auth/token",
        "revocation_endpoint": f"{expected_url_prefix}/auth/revoke",