Azure AD v2.0 fails issuer check when creating provider

[tamalsaha]

Azure AD v2.0 provides OIDC config via:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Issuer in the config json is returned as
https://login.microsoftonline.com/{tenantid}/v2.0

As a result NewProvider() method fails.

[ericchiang]

What does curling the following address return (once you replace your tenantid)?

https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration

Also what's in the id token?

(sorry for the late reply, was on vacation for the last two weeks)

[tamalsaha]

@ericchiang, curling https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration,

returns https://login.microsoftonline.com/{tenantid}/v2.0. But the actual issuer is https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0, as it is documented here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-tokens

A GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim.

We need to use tenantId = common in the Oauth URLs and tenantId=9188040d-6c67-4c5b-b112-36a304b66dad to verify id_token to support login via personal accounts.

Also, one can use their own tenantId to support only Azure AD Organization.

[tamalsaha]

@ericchiang, I just also tried using https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0/.well-known/openid-configuration. But this results in the following error:

[ericchiang]

What the issuer claim for the returned ID token? This package cares about that. Is it the following?

https://login.microsoftonline.com/{tenantid}/v2.0

Per the OpenID Connect spec the issuer returned by the discovery URL has to match the claim in the ID Token

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

[ericchiang]

FYI your "unable to complete your request" link looks like it's working now.

$ curl -s https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0/.well-known/openid-configuration | jq .
{
  "authorization_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/logout",
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "request_uri_parameter_supported": false,
  "tenant_region_scope": null,
  "cloud_instance_name": "microsoftonline.com"
}

[ericchiang]

So it looks like if you provide the correct issuer everything will work.

[tamalsaha]

@ericchiang I think using 9188040d-6c67-4c5b-b112-36a304b66dad instead of common results in proper issuer check. Closing this issue. Thanks for your help in debugging this.

[bdwyertech]

This also fails using Azure AD B2C. Providers are mapped to "user flows" within the B2C tenant. In the example below, b2c_1_signup-signin is the chosen user flow.

Provider URL

• https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/v2.0/.well-known/openid-configuration

Notice that the issuer does not match the Provider URL

{
  "issuer": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/v2.0/",
  "authorization_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/oauth2/v2.0/logout",
  "jwks_uri": "https://myorgb2c.b2clogin.com/4c2f1234-123-4567-7654-123321828afd/b2c_1_signup-signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "emails",
    "given_name",
    "idp",
    "sub",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

[ziemekobel-ef]

Here's a solution for the issuer mismatch problem: #290 (comment)