Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure ID Error #1274

Closed
2 tasks done
mosnicholas opened this issue Oct 17, 2023 · 7 comments · Fixed by #1275
Closed
2 tasks done

Azure ID Error #1274

mosnicholas opened this issue Oct 17, 2023 · 7 comments · Fixed by #1275
Labels
bug Something isn't working released

Comments

@mosnicholas
Copy link

mosnicholas commented Oct 17, 2023
edited
Loading

Bug report

As of 2023-10-17T08:59:15.000Z, I have started seeing the following errors in my Azure auth:

azure: ID token issuer \"https://login.microsoftonline.com/TENANT-UUID/v2.0\" does not match expected issuer \"https://login.microsoftonline.com/organizations/v2.0\"","level":"error","method":"GET","msg":"500: Error getting user email from external provider"
  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Azure login in is no longer working for my multitenant app. It might be related to this: #1269.

To Reproduce

I'm not sure -- i haven't changed anything in my app since yesterday and started seeing these errors.

Expected behavior

There should be no errors.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: Running in Supabase cloud.
  • Version of supabase-js: ^2.36.0
  • Version of Node.js: 18.2

Additional context

Add any other context about the problem here.
@mosnicholas mosnicholas added the bug Something isn't working label Oct 17, 2023
@mosnicholas mosnicholas changed the title Azure ID Azure ID Error Oct 17, 2023
@AaronRivera-workdev
Copy link

AaronRivera-workdev commented Oct 17, 2023
edited
Loading

I see the same thing. I think its has to do with appending"2.0" to the issuer, but I don't have a good way to verify:
https://github.com/supabase/gotrue/blob/4c50357841c51c2da0eff4d7f8920aed5e640df2/internal/api/provider/azure.go#L62

Docs state to omit that for Active directory 1.0 apps:
unnamed (1)

https://learn.microsoft.com/en-us/azure/container-apps/authentication-azure-active-directory

Our app has been down for our users, hopefully this gets resolved soon.

@mosnicholas
Copy link
Author

@hf was there a deploy for Supabase auth related to the changes you made yesterday? I don't know where to check, but I saw you merged in some changes to gotrue that seem related?

@mosnicholas
Copy link
Author

mosnicholas commented Oct 17, 2023
edited
Loading

It seems we're hitting this error: https://github.com/supabase/gotrue/pull/1269/files#diff-ea3c11f35c15f1496340532424b81c805cc3f6fb541800add5cd6f497548b324R130. I believe the changes here should have fixed it: https://github.com/supabase/gotrue/pull/1272/files, but I'm still seeing this error in production.

@hf given this is affecting production customers, it would be great to know if your team can act on this asap.

@AaronRivera-workdev
Copy link

AaronRivera-workdev commented Oct 17, 2023
edited
Loading

@mosnicholas not sure if your situation allows, but I was able to resolve my issue by switching my from Azure Tenant URL from:

https://login.microsoftonline.com/organizations to https://login.microsoftonline.com/common see the following for info:

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration

I was also required to add email to the login scope:

... = await supabase.auth.signInWithOAuth({
...
options: {
scopes: 'email,profile',
..
},
});

@mosnicholas
Copy link
Author

Thank you for updating here @aaron-xandria

@kangmingtay kangmingtay mentioned this issue Oct 17, 2023
Merged
kangmingtay added a commit that referenced this issue Oct 17, 2023
@kangmingtay
fix: include /organizations in expected issuer exemption (#1275)
47cbe6e 
## What kind of change does this PR introduce?
* The issuer can also be https://login.microsoftonline.com/organizations
for applications processing accounts in any organizational directory
(any Microsoft Entra directory) (see
[here](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant))
* Fixes #1274
@kangmingtay
Copy link
Member

hey everyone, we've fixed this issue in #1275 and will roll it out to all affected projects on Supabase.

@github-actions
Copy link
Contributor

🎉 This issue has been resolved in version 2.104.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

hoeseong19 pushed a commit to hoeseong19/gotrue that referenced this issue Oct 22, 2023
@kangmingtay @hoeseong19
fix: include /organizations in expected issuer exemption (supabase#…
95759cb 
…1275)

## What kind of change does this PR introduce?
* The issuer can also be https://login.microsoftonline.com/organizations
for applications processing accounts in any organizational directory
(any Microsoft Entra directory) (see
[here](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant))
* Fixes supabase#1274
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: include /organizations in expected issuer exemption supabase/auth
3 participants
@mosnicholas @kangmingtay @AaronRivera-workdev