@@ -47,6 +47,7 @@ export abstract class OAuthBaseProvider {
4747 public readonly defaultAccessTokenExpiresInMillis ?: number ,
4848 public readonly noPKCE ?: boolean ,
4949 public readonly openid ?: boolean ,
50+ public readonly alternativeIssuers ?: string [ ] ,
5051 ) { }
5152
5253 protected static async createConstructorArgs ( options :
@@ -59,6 +60,7 @@ export abstract class OAuthBaseProvider {
5960 defaultAccessTokenExpiresInMillis ?: number ,
6061 tokenEndpointAuthMethod ?: "client_secret_post" | "client_secret_basic" ,
6162 noPKCE ?: boolean ,
63+ alternativeIssuers ?: string [ ] ,
6264 }
6365 & (
6466 | ( {
@@ -106,6 +108,7 @@ export abstract class OAuthBaseProvider {
106108 options . defaultAccessTokenExpiresInMillis ,
107109 options . noPKCE ,
108110 options . openid ,
111+ options . alternativeIssuers ,
109112 ] as const ;
110113 }
111114
@@ -134,9 +137,22 @@ export abstract class OAuthBaseProvider {
134137 state : string ,
135138 } ) : Promise < { userInfo : OAuthUserInfo , tokenSet : TokenSet } > {
136139 let tokenSet ;
140+ const callbackParams = { ...options . callbackParams } ;
141+
142+ // If the authorization server returns an `iss` parameter (RFC 9207) that matches
143+ // one of the known alternative issuers, rewrite it to the configured issuer so
144+ // openid-client's validation accepts it.
145+ if (
146+ this . alternativeIssuers
147+ && typeof callbackParams . iss === "string"
148+ && this . alternativeIssuers . includes ( callbackParams . iss )
149+ ) {
150+ callbackParams . iss = this . oauthClient . issuer . metadata . issuer ;
151+ }
152+
137153 const params = [
138154 this . redirectUri ,
139- options . callbackParams ,
155+ callbackParams ,
140156 {
141157 code_verifier : this . noPKCE ? undefined : options . codeVerifier ,
142158 state : options . state ,
0 commit comments