-
-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quirk for Dynamic (Tenant) based issuer of Microsoft Entra ID #401
Comments
Issue 1 & 3: Use the Issue 2: should be solved with #399, just released as v3.2.6. |
@maennchen Maybe I am missing something but we can only find the actual tenant ID value by looking at the token See https://github.com/MicrosoftDocs/azure-docs/issues/95994#issuecomment-1197481264 |
@MrYawe Oh right. The issuer changes based on the users tenant. This is absolutely not compliant from OpenID in any way. The specification is very clear that the issuer has to be checked against (exact equality) the value from the configuration. If this was not Microsoft but any other smaller provider, I would now tell you to go hassle the provider to be actually compliant with the specification. Unfortunately, Microsoft is not willing to fix it (can't seem to locate the issue, but it was raised before) but is also too large to ignore. To implement a generic and safe solution, I would be willing to accept a PR, which allows to pass a Regex instead of a string for the issuer. When the token is validated, the provided |
Description
Using
oidcc 3.2.5
andoidcc_plug 0.2.0-beta.1
.I'm trying to set up the OpenID Connect flow for Microsoft using the
https://login.microsoftonline.com/common/v2.0
issuer.Microsoft is known to not be compliant with the spec because the issuer in their OpenID configuration is
https://login.microsoftonline.com/{tenantid}/v2.0
.Issue 1: issuer_mismatch when loading configuration
The first issue I encountered was when starting the configuration worker:
But I found the
allow_issuer_mismatch
quirck to disable this check ✅ .Issue 2: failed pkce challenge
In my callback I had this error:
Since I'm using the
Oidcc.Plug.Authorize
, the pkce challenge is enabled by default and in the Microsoft provider configurationdocument_overrides
isundefined
.I found another quirck to override to provider configuration and make it works ✅. Here is my
ProviderConfigurationWorker
configuration at this point:Issue 3: iss mismatch in token
This last issue is still unresolved.
When validating the token, the iss doesn't match because the
{tenantid}
in theiss
claim is replaced by the actual tenant id value found in thetid
claim.Is there another quick I can use here?
Here is the full
oidcc_plug
configuration I use:The text was updated successfully, but these errors were encountered: