In Package oidc and compilation unit oidc.go, "NewProvider (" call implementation is looks wrong. if **p.Issuer != issuer** { return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer) } This code looks wrong to me. I am reading the OIDC discovery code and I dont see why the URL one provides should be the URL of the Issuer.