From d8c738c1c49349fa879a7dd95b20aeadff7342bb Mon Sep 17 00:00:00 2001
From: Dan Upton <daniel.upton@goteleport.com>
Date: Wed, 14 Jan 2026 10:51:10 +0000
Subject: [PATCH] oidc: stop erroneously advertising pairwise subject support

Our `/.well-known/openid-configuration` endpoint currently advertises that we
support the `pair-wise` subject type. This is a typo of `pairwise` which causes
stricter parsers such as the Nimbus Java SDK to reject our configuration.

As we do not actually supoprt `pair-wise` yet, we should not advertise support
for it.

changelog: Removed erroneous `pair-wise` subject type from Teleport's OpenID configuration
---
 lib/utils/oidc/openidconfig.go      | 2 +-
 lib/utils/oidc/openidconfig_test.go | 2 +-
 lib/web/oidcidp_test.go             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/utils/oidc/openidconfig.go b/lib/utils/oidc/openidconfig.go
index 7561ab7becfbf..88b6c6e0182dc 100644
--- a/lib/utils/oidc/openidconfig.go
+++ b/lib/utils/oidc/openidconfig.go
@@ -40,6 +40,6 @@ func OpenIDConfigurationForIssuer(issuer, jwksURI string) OpenIDConfiguration {
 		IdTokenSigningAlgValuesSupported: []string{"RS256"},
 		ResponseTypesSupported:           []string{"id_token"},
 		ScopesSupported:                  []string{"openid"},
-		SubjectTypesSupported:            []string{"public", "pair-wise"},
+		SubjectTypesSupported:            []string{"public"},
 	}
 }
diff --git a/lib/utils/oidc/openidconfig_test.go b/lib/utils/oidc/openidconfig_test.go
index 8796a978d0e1e..f16eb3e97c36f 100644
--- a/lib/utils/oidc/openidconfig_test.go
+++ b/lib/utils/oidc/openidconfig_test.go
@@ -32,7 +32,7 @@ func TestOpenIDConfigurationForIssuer(t *testing.T) {
 		IdTokenSigningAlgValuesSupported: []string{"RS256"},
 		ResponseTypesSupported:           []string{"id_token"},
 		ScopesSupported:                  []string{"openid"},
-		SubjectTypesSupported:            []string{"public", "pair-wise"},
+		SubjectTypesSupported:            []string{"public"},
 	}
 
 	got := OpenIDConfigurationForIssuer("https://localhost:8080", "https://localhost:8080/.well-known/jwks")
diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go
index acd47a17d3475..8197240b0c1ee 100644
--- a/lib/web/oidcidp_test.go
+++ b/lib/web/oidcidp_test.go
@@ -67,7 +67,7 @@ func TestOIDCIdPPublicEndpoints(t *testing.T) {
 		Claims:                           []string{"iss", "sub", "obo", "aud", "jti", "iat", "exp", "nbf"},
 		ResponseTypesSupported:           []string{"id_token"},
 		ScopesSupported:                  []string{"openid"},
-		SubjectTypesSupported:            []string{"public", "pair-wise"},
+		SubjectTypesSupported:            []string{"public"},
 	}
 	require.Equal(t, expectedConfiguration, gotConfiguration)