From 4c511dca0fb0b25c6fca13de5ed6353ff54474c4 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric@oblique.security>
Date: Thu, 20 Nov 2025 19:31:02 -0800
Subject: [PATCH] oidc: improve error message for mismatched issuer URLs

Fixes #468
---
 oidc/oidc.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/oidc/oidc.go b/oidc/oidc.go
index f6a7ea8..2659518 100644
--- a/oidc/oidc.go
+++ b/oidc/oidc.go
@@ -162,7 +162,7 @@ var supportedAlgorithms = map[string]bool{
 // parsing.
 //
 //	// Directly fetch the metadata document.
-// 	resp, err := http.Get("https://login.example.com/custom-metadata-path")
+//	resp, err := http.Get("https://login.example.com/custom-metadata-path")
 //	if err != nil {
 //		// ...
 //	}
@@ -267,7 +267,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 		issuerURL = issuer
 	}
 	if p.Issuer != issuerURL && !skipIssuerValidation {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
+		return nil, fmt.Errorf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", issuer, p.Issuer)
 	}
 	var algs []string
 	for _, a := range p.Algorithms {