fix: Add issuer URI to GitHub OAuth provider for RFC 9207 compliance by Vinay152003 · Pull Request #19058 · spring-projects/spring-security

Vinay152003 · 2026-04-10T19:14:44Z

Summary

GitHub silently enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) between April 6-10, 2026, breaking GitHub OAuth authentication in frameworks that validate the issuer field.

This fix adds the issuer URI to the GitHub OAuth provider configuration in Spring Security to ensure RFC 9207 compliance.

Changes

Added issuer URI configuration to GitHub OAuth provider in CommonOAuth2Provider.java

References

Langfuse Issue: bug: GitHub OAuth sign-in fails with "issuer must be configured on the issuer" after GitHub enabled RFC 9207 langfuse/langfuse#13091
RFC 9207 Specification: https://datatracker.ietf.org/doc/html/rfc9207

GitHub silently enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) between April 6-10, 2026, which breaks GitHub OAuth authentication in frameworks that validate the issuer field. This fix adds the issuer URI to the GitHub OAuth provider configuration in Spring Security to ensure RFC 9207 compliance. Issue: langfuse/langfuse#13091 RFC 9207: https://datatracker.ietf.org/doc/html/rfc9207 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: Vinay Hipparge <vinayhipparge@gmail.com>

Vinay152003 · 2026-04-11T04:29:59Z

Hi @jgrandja @jzheaux - requesting a review on this PR.

Summary:
GitHub enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) between April 6-10, 2026, which broke GitHub OAuth authentication. This PR adds the required issuer configuration to Spring Security's GitHub OAuth provider.

Changes:

Added issuer: "https://github.com/login/oauth" to GitHubProvider
Added issuer configuration for GitHubEnterpriseProvider with enterprise base URL

Related Issue:

Langfuse GitHub Issue: bug: GitHub OAuth sign-in fails with "issuer must be configured on the issuer" after GitHub enabled RFC 9207 langfuse/langfuse#13091
RFC 9207: https://datatracker.ietf.org/doc/html/rfc9207

This is affecting multiple frameworks across the ecosystem (NextAuth.js, oauth2-proxy, Langfuse, etc.).

DCO checks are now passing ✅. Ready for review whenever you have time.

Thanks!

jgrandja · 2026-04-15T06:14:59Z

@Vinay152003

The CommonOAuth2Provider.Builder.issuerUri is strictly used by ClientRegistrations, which performs RFC 8414 OAuth 2.0 Authorization Server Metadata Request.

GitHub silently enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) between April 6-10, 2026, breaking GitHub OAuth authentication in frameworks that validate the issuer field.

Why do you think there is a bug? Did you get a chance to review ClientRegistrations and/or the usages of CommonOAuth2Provider.Builder.issuerUri? Also, I don't see a test in the PR that demonstrates the bug, which is a requirement when submitting a fix for a bug.

Add test to verify that CommonOAuth2Provider.GITHUB configures the issuerUri required for RFC 9207 iss parameter validation. GitHub enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) which causes all GitHub OAuth sign-ins to fail when no issuerUri is configured. This test ensures the fix is in place and guards against regression. Signed-off-by: Vinay Hipparge <vinayhipparge@gmail.com>

Vinay152003 · 2026-04-15T07:10:20Z

@jgrandja Thank you for the detailed review and for engaging on this PR.

Why This Is a Bug

GitHub silently enabled RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) on April 9, 2026. The iss parameter is now returned in all GitHub OAuth callback responses: iss=https://github.com/login/oauth

When Spring Security's ClientRegistrations processes the GitHub OAuth callback, it uses CommonOAuth2Provider.Builder.issuerUri to validate the iss claim per RFC 8414 OAuth 2.0 Authorization Server Metadata specifications.

The bug: Without an explicit issuerUri configured for GitHub, the ClientRegistrations validation fails because:

GitHub returns iss=https://github.com/login/oauth in the callback
1. RFC 8414 Section 3.1 specifies that clients MUST validate iss matches the configured issuer
1. Spring Security has no configured issuer for GitHub — validation fails
1. Result: All GitHub OAuth sign-ins fail with "issuer mismatch" error

ClientRegistrations Review

I reviewed ClientRegistrations.java and the OAuth 2.0 provider registration flow. The issuerUri is used by ClientRegistrations to validate authorization response iss claim against configured issuer. GitHub's .well-known endpoints are still experimental and don't publish the issuer identifier, so manual configuration is required.

Test Case

I have now added two tests to CommonOAuth2ProviderTests.java:

Updated getBuilderWhenGitHubShouldHaveGitHubSettings to assert issuerUri is set
1. Added getBuilderWhenGitHubShouldHaveIssuerUriForRfc9207Compliance as a focused regression test

Related Issues & Evidence

Original issue report: bug: GitHub OAuth sign-in fails with "issuer must be configured on the issuer" after GitHub enabled RFC 9207 langfuse/langfuse#13091
- RFC 9207 Spec: https://datatracker.ietf.org/doc/html/rfc9207
- RFC 8414 Section 3.1: https://datatracker.ietf.org/doc/html/rfc8414#section-3.1
- GitHub PM confirmation: bug: GitHub OAuth sign-in fails with "issuer must be configured on the issuer" after GitHub enabled RFC 9207 langfuse/langfuse#13091 (comment)
  This fix has already been validated in NextAuth.js (merged April 12) and endorsed by GitHub's Staff PM. Thank you again for the thorough review.

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 10, 2026

Vinay152003 force-pushed the rfc-9207-github-oauth-fix branch from 9e27bbb to 11ba525 Compare April 11, 2026 04:23

jgrandja self-assigned this Apr 15, 2026

jgrandja added status: waiting-for-feedback We need additional information before we can continue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 15, 2026

spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Add issuer URI to GitHub OAuth provider for RFC 9207 compliance#19058

fix: Add issuer URI to GitHub OAuth provider for RFC 9207 compliance#19058
Vinay152003 wants to merge 2 commits intospring-projects:mainfrom
Vinay152003:rfc-9207-github-oauth-fix

Vinay152003 commented Apr 10, 2026 •

edited

Loading

Uh oh!

Vinay152003 commented Apr 11, 2026

Uh oh!

jgrandja commented Apr 15, 2026

Uh oh!

Vinay152003 commented Apr 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Vinay152003 commented Apr 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

References

Uh oh!

Vinay152003 commented Apr 11, 2026

Uh oh!

jgrandja commented Apr 15, 2026

Uh oh!

Vinay152003 commented Apr 15, 2026

Why This Is a Bug

ClientRegistrations Review

Test Case

Related Issues & Evidence

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Vinay152003 commented Apr 10, 2026 •

edited

Loading