From df55f9b189174767296e562389948e5250f1df73 Mon Sep 17 00:00:00 2001
From: Noah Snelson <noah.snelson@protonmail.com>
Date: Thu, 20 Jul 2023 01:02:45 -0700
Subject: [PATCH] Add a link to OpenID Issuer URL in WebFinger response
 (#26000)

This change adds an entry to the `links` field of the
`/.well-known/webfinger` response. The new entry points to the `appURL`
as an OpenID issuer. This is consistent with the output of
`/.well-known/openid-configuration`, which also uses the value of
`appURL`.

This change is required for Tailscale SSO to work, as it uses the OpenID
Issuer URL when querying the Tailscale user email during signup/login
([docs](https://tailscale.com/kb/1240/sso-custom-oidc/#webfinger-setup)).
---
 routers/web/webfinger.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/routers/web/webfinger.go b/routers/web/webfinger.go
index 0966b04951..faa35b8d2f 100644
--- a/routers/web/webfinger.go
+++ b/routers/web/webfinger.go
@@ -106,6 +106,10 @@ func WebfingerQuery(ctx *context.Context) {
 			Type: "application/activity+json",
 			Href: appURL.String() + "api/v1/activitypub/user-id/" + fmt.Sprint(u.ID),
 		},
+		{
+			Rel:  "http://openid.net/specs/connect/1.0/issuer",
+			Href: appURL.String(),
+		},
 	}
 
 	ctx.Resp.Header().Add("Access-Control-Allow-Origin", "*")