fix: Conformance tests & proper handling of iss not supported

max-stytch · max-stytch · commit 967a45d29709 · 2026-04-09T08:16:10.000-07:00
diff --git a/auth/authorization_code.go b/auth/authorization_code.go
@@ -565,13 +565,19 @@ func (h *AuthorizationCodeHandler) getAuthorizationCode(ctx context.Context, cfg
 //
 // [RFC 9207]: https://www.rfc-editor.org/rfc/rfc9207
 func validateIssuerResponse(iss, expectedIssuer string, issParameterSupported bool) error {
-	if iss != "" {
+	if issParameterSupported {
+		if iss == "" {
+			return fmt.Errorf("authorization server advertises RFC 9207 iss parameter support but none was received in the authorization response")
+		}
 		if iss != expectedIssuer {
 			return fmt.Errorf("authorization response issuer %q does not match expected issuer %q", iss, expectedIssuer)
 		}
-	} else if issParameterSupported {
-		return fmt.Errorf("authorization server advertises RFC 9207 iss parameter support but none was received in the authorization response")
+	} else {
+		if iss != "" {
+			return fmt.Errorf("authorization server does not advertise RFC 9207 iss parameter support but iss was received in the authorization response")
+		}
 	}
+
 	return nil
 }
 
diff --git a/conformance/everything-client/client_private.go b/conformance/everything-client/client_private.go
@@ -40,6 +40,11 @@ func init() {
 		"auth/token-endpoint-auth-basic",
 		"auth/token-endpoint-auth-post",
 		"auth/token-endpoint-auth-none",
+		"auth/iss-supported",
+		"auth/iss-not-advertised",
+		"auth/iss-supported-missing",
+		"auth/iss-wrong-issuer",
+		"auth/iss-unexpected",
 	}
 	for _, scenario := range authScenarios {
 		registerScenario(scenario, runAuthClient)
