mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-23 18:53:29 +00:00
32ce94d2dd
When the issuer is set in the provider metadata, we validate the iss field of the ID Token against it. The OpenID Connect Specification says this must always be validated. But this would be a breaking change for applications configured other than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will be done later with #8326 Fixes gh-8321