fn validate_issuer_url(issuer: &str) -> Result<(), &'static str>Expand description
Validates oidc_issuer before it is published. Required: parses as
a URL, scheme is https or http, no userinfo (we publish it on a
public endpoint), no query or fragment (RFC 8414 §2). The http
scheme is permitted to ease local dev; OAuth 2.1 §3.1 forbids it in
production but enforcement is the operator’s responsibility.
The caller publishes the original value (not a re-serialised
Url) because url::Url silently normalises some forms (e.g. adds
a trailing slash to a bare authority), and a mutated issuer would
not match the iss claim in tokens minted by the IdP.