Incorrect Entra ID login_hint parameter

[MichaelGrafnetter]

Hi, I have discovered an issue in the Microsoft Entra ID OpenID Connect SSO plugin. Due to a bug in login_hint ID token claim handling, external/B2B Entra ID accounts cannot re-authenticate in SysReptor.

Current behavior

When SysReptor tries to re-authenticate an external Entra ID user, a Microsoft personal account in this case (*@outlook.com or *@live.com), the following screen with random-ish phone number is presented by Entra ID:

Expected behavior

The user should instead see a prompt like this:

Possible solution

The root cause is that SysReptor does a pass-through of the login_hint claim from the ID token to Microsoft's authentication endpoint. This claim contains a reference to the original token issuer (Personal Microsoft accounts - https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad) instead of a reference to the target token issuer (Microsoft Entra ID - https://login.microsoftonline.com/TenantID/v2.0). The right ID token claim value to send is preferred_username, with which it works seamlessly, at least based on my tests.

[MWedl]

Thanks for reporting. We will update the login_hint to use preferred_username.