Well known endpoint has the tenant id suffix

Description

The open id connect discovery URL has a tenant Id on the end of it. For example: https://sandbox.fusionauth.io/.well-known/openid-configuration/bafb4319-b7ca-ed27-fa2f-bbdba9d8ec06

This sometimes causes issue with OIDC discovery. See here: oauth2-proxy/oauth2-proxy#2102 for example.

Looks like AzureAD works around that by putting the tenant value before the .well/known path: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-configuration-document

Every app registration in Azure AD is provided a publicly accessible endpoint that serves its OpenID configuration document. To determine the URI of the configuration document's endpoint for your app, append the well-known OpenID configuration path to your app registration's authority URL.

Section 4 of the OIDC spec talks about how to craft that URL: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Using path components enables supporting multiple issuers per host. This is required in some multi-tenant hosting configurations. This use of .well-known is for supporting multiple issuers per host; unlike its use in RFC 5785 [RFC5785], it does not provide general information about the host.

Documentation

• Update endpoint doc to indicate this new option.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.