fix: tolerate trailing slash when matching trusted issuers

credentials/verifier_default.go

@@ -108,7 +108,7 @@ func (v *VerifierDefault) Verify(
 	}
 
 	if len(r.Issuers) > 0 {
-		if !slices.Contains(r.Issuers, parsedClaims.Issuer) {
+		if !matchesTrustedIssuer(r.Issuers, parsedClaims.Issuer) {
 			return nil, herodot.ErrUnauthorized().WithReasonf("Token issuer does not match any trusted issuer %s.", parsedClaims.Issuer).
 				WithDetail("received issuers", strings.Join(r.Issuers, ", "))
 		}
@@ -166,3 +166,20 @@ func scope(claims map[string]interface{}) ([]string, string) {
 		return []string{}, key
 	}
 }
+
+// matchesTrustedIssuer reports whether the token issuer matches any of the
+// trusted issuers, treating issuers that differ only by a trailing slash as
+// equal. This avoids rejecting otherwise-valid tokens when the trusted_issuers
+// configuration and the token's "iss" claim disagree on a trailing "/" (for
+// example "https://issuer" versus "https://issuer/").
+//
+// See https://github.com/ory/oathkeeper/issues/527.
+func matchesTrustedIssuer(trusted []string, issuer string) bool {
+	issuer = strings.TrimSuffix(issuer, "/")
+	for _, t := range trusted {
+		if strings.TrimSuffix(t, "/") == issuer {
+			return true
+		}
+	}
+	return false
+}

credentials/verifier_default_test.go

@@ -301,6 +301,46 @@ func TestVerifierDefault(t *testing.T) {
 			}, "file://../test/stub/jwks-hs.json"),
 			expectErr: true,
 		},
+		{
+			d: "should pass when the trusted issuer has a trailing slash but the token issuer does not (issue #527)",
+			c: &ValidationContext{
+				Algorithms: []string{"HS256"},
+				Issuers:    []string{"https://my-issuer/"},
+				KeyURLs:    []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+			},
+			token: sign(jwt.MapClaims{
+				"sub": "sub",
+				"exp": now.Add(time.Hour).Unix(),
+				"iss": "https://my-issuer",
+			}, "file://../test/stub/jwks-hs.json"),
+		},
+		{
+			d: "should pass when the token issuer has a trailing slash but the trusted issuer does not (issue #527)",
+			c: &ValidationContext{
+				Algorithms: []string{"HS256"},
+				Issuers:    []string{"https://my-issuer"},
+				KeyURLs:    []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+			},
+			token: sign(jwt.MapClaims{
+				"sub": "sub",
+				"exp": now.Add(time.Hour).Unix(),
+				"iss": "https://my-issuer/",
+			}, "file://../test/stub/jwks-hs.json"),
+		},
+		{
+			d: "should still fail when the issuer genuinely differs despite trailing-slash normalization (issue #527)",
+			c: &ValidationContext{
+				Algorithms: []string{"HS256"},
+				Issuers:    []string{"https://my-issuer/"},
+				KeyURLs:    []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+			},
+			token: sign(jwt.MapClaims{
+				"sub": "sub",
+				"exp": now.Add(time.Hour).Unix(),
+				"iss": "https://evil-issuer",
+			}, "file://../test/stub/jwks-hs.json"),
+			expectErr: true,
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
 			claims, err := verifier.Verify(context.Background(), tc.token, tc.c)

oryx/openapix/jsonpatch.go

@@ -12,7 +12,7 @@ type JSONPatchDocument []JSONPatch
 //
 // swagger:model jsonPatch
 type JSONPatch struct {
-	// The operation to be performed. One of "add", "remove", "replace", "move", "copy", or "test".
+	// The operation to be performed. One of "add", "remove", or "replace".
 	//
 	// required: true
 	// example: replace