Validate ID Token Issuer

When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.

The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326

fixes gh-8321

Author: furti

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java

@@ -33,6 +33,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 /**
  * An {@link OAuth2TokenValidator} responsible for
@@ -68,7 +69,12 @@ public OAuth2TokenValidatorResult validate(Jwt idToken) {
 
 		// 2. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
 		// MUST exactly match the value of the iss (issuer) Claim.
-		// TODO Depends on gh-4413
+		String metadataIssuer = (String) this.clientRegistration.getProviderDetails().getConfigurationMetadata()
+				.get("issuer");
+
+		if (metadataIssuer != null && !Objects.equals(metadataIssuer, idToken.getIssuer().toExternalForm())) {
+			invalidClaims.put(IdTokenClaimNames.ISS, idToken.getIssuer());
+		}
 
 		// 3. The Client MUST validate that the aud (audience) Claim contains its client_id value
 		// registered at the Issuer identified by the iss (issuer) Claim as an audience.

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java

@@ -92,6 +92,35 @@ public void validateWhenIssuerNullThenHasErrors() {
 				.allMatch(msg -> msg.contains(IdTokenClaimNames.ISS));
 	}
 
+	@Test
+	public void validateWhenMetadataIssuerMismatchThenHasErrors() {
+		/*
+		 * When the issuer is set in the provider metadata, and it does not match the issuer in the ID Token,
+		 * the validation must fail
+		 */
+		Map<String, Object> configurationMetadata = new HashMap<>();
+		configurationMetadata.put("issuer", "https://issuer.somethingelse.com");
+		this.registration = this.registration.providerConfigurationMetadata(configurationMetadata);
+
+		assertThat(this.validateIdToken())
+				.hasSize(1)
+				.extracting(OAuth2Error::getDescription)
+				.allMatch(msg -> msg.contains(IdTokenClaimNames.ISS));
+	}
+
+	@Test
+	public void validateWhenMetadataIssuerMatchThenNoErrors() {
+		/*
+		 * When the issuer is set in the provider metadata, and it does match the issuer in the ID Token,
+		 * the validation must succeed
+		 */
+		Map<String, Object> configurationMetadata = new HashMap<>();
+		configurationMetadata.put("issuer", "https://issuer.example.com");
+		this.registration = this.registration.providerConfigurationMetadata(configurationMetadata);
+
+		assertThat(this.validateIdToken()).isEmpty();
+	}
+
 	@Test
 	public void validateWhenSubNullThenHasErrors() {
 		this.claims.remove(IdTokenClaimNames.SUB);