Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD v2.0 fails issuer check when creating provider #121

Closed
tamalsaha opened this issue Dec 30, 2016 · 9 comments
Closed

Azure AD v2.0 fails issuer check when creating provider #121

tamalsaha opened this issue Dec 30, 2016 · 9 comments

Comments

@tamalsaha
Copy link

tamalsaha commented Dec 30, 2016
edited

Azure AD v2.0 provides OIDC config via:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Issuer in the config json is returned as
https://login.microsoftonline.com/{tenantid}/v2.0

As a result NewProvider() method fails.
@tamalsaha tamalsaha mentioned this issue Dec 30, 2016
Closed
@ericchiang
Copy link
Collaborator

What does curling the following address return (once you replace your tenantid)?

https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration

Also what's in the id token?

(sorry for the late reply, was on vacation for the last two weeks)

@tamalsaha
Copy link
Author

@ericchiang, curling https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration,

returns https://login.microsoftonline.com/{tenantid}/v2.0. But the actual issuer is https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0, as it is documented here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-tokens

A GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim.

We need to use tenantId = common in the Oauth URLs and tenantId=9188040d-6c67-4c5b-b112-36a304b66dad to verify id_token to support login via personal accounts.

Also, one can use their own tenantId to support only Azure AD Organization.

@tamalsaha
Copy link
Author

tamalsaha commented Jan 8, 2017
edited

@ericchiang, I just also tried using https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0/.well-known/openid-configuration. But this results in the following error:

azure-oidc

@ericchiang
Copy link
Collaborator

What the issuer claim for the returned ID token? This package cares about that. Is it the following?

https://login.microsoftonline.com/{tenantid}/v2.0

Per the OpenID Connect spec the issuer returned by the discovery URL has to match the claim in the ID Token

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

@ericchiang
Copy link
Collaborator

FYI your "unable to complete your request" link looks like it's working now.

$ curl -s https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0/.well-known/openid-configuration | jq .
{
  "authorization_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/logout",
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "request_uri_parameter_supported": false,
  "tenant_region_scope": null,
  "cloud_instance_name": "microsoftonline.com"
}

@ericchiang
Copy link
Collaborator

So it looks like if you provide the correct issuer everything will work.

@tamalsaha
Copy link
Author

tamalsaha commented Jan 9, 2017
edited

@ericchiang I think using 9188040d-6c67-4c5b-b112-36a304b66dad instead of common results in proper issuer check. Closing this issue. Thanks for your help in debugging this.

@ericchiang ericchiang mentioned this issue Jul 27, 2017
Closed
@ericchiang ericchiang mentioned this issue Aug 15, 2017
Closed
@ericchiang ericchiang mentioned this issue Oct 7, 2017
Closed
@pborzenkov pborzenkov mentioned this issue Oct 29, 2017
Closed
@gambol99 gambol99 mentioned this issue Aug 2, 2018
Merged
@ericchiang ericchiang mentioned this issue Mar 14, 2019
Closed
@ericchiang ericchiang mentioned this issue Sep 5, 2019
Closed
@bdwyertech
Copy link

This also fails using Azure AD B2C. Providers are mapped to "user flows" within the B2C tenant. In the example below, b2c_1_signup-signin is the chosen user flow.

Provider URL

  • https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/v2.0/.well-known/openid-configuration

Notice that the issuer does not match the Provider URL

{
  "issuer": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/v2.0/",
  "authorization_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/logout",
  "jwks_uri": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "emails",
    "given_name",
    "idp",
    "sub",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

@lipmas lipmas mentioned this issue Mar 15, 2021
Merged
@ziemekobel-ef
Copy link

Here's a solution for the issuer mismatch problem: #290 (comment)

@ericchiang ericchiang mentioned this issue Jul 1, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tamalsaha @ericchiang @bdwyertech @ziemekobel-ef