diff --git a/test/integration/concierge_tls_spec_test.go b/test/integration/concierge_tls_spec_test.go
index 00de622b0..c9ec84849 100644
--- a/test/integration/concierge_tls_spec_test.go
+++ b/test/integration/concierge_tls_spec_test.go
@@ -6,7 +6,6 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -370,13 +369,10 @@ func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) {
 			})
 
 			t.Run("apply jwt authenticator", func(t *testing.T) {
-				issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
-				require.NoError(t, err)
-				require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
-				issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
+				_, supervisorIssuer := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t)
 
 				jwtAuthenticatorResourceName := tc.resourceNamePrefix + "-" + testlib.RandHex(t, 7)
-				jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(tc.customJWTAuthenticatorYaml, env.APIGroupSuffix, jwtAuthenticatorResourceName, issuerURL.String()))
+				jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(tc.customJWTAuthenticatorYaml, env.APIGroupSuffix, jwtAuthenticatorResourceName, supervisorIssuer))
 
 				performKubectlApply(t, jwtAuthenticatorYamlBytes, tc.expectedError, "JWTAuthenticator", jwtAuthenticatorResourceName)
 			})
diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go
index 862a1665b..935b6d5ea 100644
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -70,12 +70,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 	// Build pinniped CLI.
 	pinnipedExe := testlib.PinnipedCLIPath(t)
 
-	// Infer the downstream issuer URL from the callback associated with the upstream test client registration.
-	issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
-	require.NoError(t, err)
-	require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
-	issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
-	t.Logf("testing with downstream issuer URL %s", issuerURL.String())
+	issuerURL, _ := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t)
 
 	// Generate a CA bundle with which to serve this provider.
 	t.Logf("generating test CA")
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index 089a3bbe3..6555143fa 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -2948,12 +2948,7 @@ func testSupervisorLogin(
 	ctx, cancel := context.WithTimeout(context.Background(), 7*time.Minute)
 	defer cancel()
 
-	// Infer the downstream issuer URL from the callback associated with the upstream test client registration.
-	issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
-	require.NoError(t, err)
-	require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
-	issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
-	t.Logf("testing with downstream issuer URL %s", issuerURL.String())
+	issuerURL, _ := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t)
 
 	// Generate a CA bundle with which to serve this provider.
 	t.Logf("generating test CA")
diff --git a/test/integration/supervisor_tls_spec_test.go b/test/integration/supervisor_tls_spec_test.go
index 877a85e02..5ac34b4be 100644
--- a/test/integration/supervisor_tls_spec_test.go
+++ b/test/integration/supervisor_tls_spec_test.go
@@ -23,6 +23,7 @@ import (
 // on the TLSSpec in Pinniped supervisor CRDs using OIDCIdentityProvider as an example.
 func TestTLSSpecKubeBuilderValidationSupervisor_Parallel(t *testing.T) {
 	env := testlib.IntegrationEnv(t)
+	env.SupervisorUpstreamOIDC.Issuer
 	testCases := []struct {
 		name               string
 		customResourceYaml string
diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go
index 17da03367..a2a6d4536 100644
--- a/test/integration/supervisor_warnings_test.go
+++ b/test/integration/supervisor_warnings_test.go
@@ -7,7 +7,6 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
-	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -49,12 +48,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 	pinnipedExe := testlib.PinnipedCLIPath(t)
 	tempDir := t.TempDir()
 
-	// Infer the downstream issuer URL from the callback associated with the upstream test client registration.
-	issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
-	require.NoError(t, err)
-	require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
-	issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
-	t.Logf("testing with downstream issuer URL %s", issuerURL.String())
+	issuerURL, _ := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t)
 
 	// Generate a CA bundle with which to serve this provider.
 	t.Logf("generating test CA")
diff --git a/test/testlib/env.go b/test/testlib/env.go
index 5e83caa43..2e4e57611 100644
--- a/test/testlib/env.go
+++ b/test/testlib/env.go
@@ -5,6 +5,7 @@ package testlib
 
 import (
 	"encoding/base64"
+	"net/url"
 	"os"
 	"sort"
 	"strings"
@@ -83,6 +84,20 @@ type TestOIDCUpstream struct {
 	ExpectedGroups   []string `json:"expectedGroups"`
 }
 
+// InferTheIssuerURL infers the downstream issuer URL from the callback associated with the upstream test client registration.
+func (upstream *TestOIDCUpstream) InferTheIssuerURL(t *testing.T) (*url.URL, string) {
+	t.Helper()
+	issuerURL, err := url.Parse(upstream.CallbackURL)
+	require.NoError(t, err)
+	require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
+	issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
+
+	issuerAsString := issuerURL.String()
+	t.Logf("testing with downstream issuer URL %s", issuerAsString)
+
+	return issuerURL, issuerAsString
+}
+
 type TestLDAPUpstream struct {
 	Host                                            string   `json:"host"`
 	Domain                                          string   `json:"domain"`