fix: give AAD v2 organizations and consumers same treatment as common

Closes #175
panva · Jul 12, 2019 · 4891b5b · 4891b5b
1 parent 47801c2
commit 4891b5b
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 25 deletions.
diff --git a/lib/helpers/consts.js b/lib/helpers/consts.js
@@ -2,7 +2,11 @@ const OIDC_DISCOVERY = '/.well-known/openid-configuration';
 const OAUTH2_DISCOVERY = '/.well-known/oauth-authorization-server';
 const WEBFINGER = '/.well-known/webfinger';
 const REL = 'http://openid.net/specs/connect/1.0/issuer';
-const AAD_MULTITENANT_DISCOVERY = `https://login.microsoftonline.com/common/v2.0${OIDC_DISCOVERY}`;
+const AAD_MULTITENANT_DISCOVERY = new Set([
+  `https://login.microsoftonline.com/common/v2.0${OIDC_DISCOVERY}`,
+  `https://login.microsoftonline.com/organizations/v2.0${OIDC_DISCOVERY}`,
+  `https://login.microsoftonline.com/consumers/v2.0${OIDC_DISCOVERY}`,
+]);
 
 const CLIENT_DEFAULTS = {
   grant_types: ['authorization_code'],

diff --git a/lib/issuer.js b/lib/issuer.js
@@ -215,7 +215,7 @@ class Issuer {
         {},
         ISSUER_DEFAULTS,
         body,
-        { [AAD_MULTITENANT]: uri === AAD_MULTITENANT_DISCOVERY },
+        { [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.has(uri) },
       ));
     }
 
@@ -243,7 +243,7 @@ class Issuer {
         {},
         ISSUER_DEFAULTS,
         body,
-        { [AAD_MULTITENANT]: wellKnownUri === AAD_MULTITENANT_DISCOVERY },
+        { [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.has(wellKnownUri) },
       ));
     }));
   }

diff --git a/test/aad/aad.test.js b/test/aad/aad.test.js
@@ -3,38 +3,50 @@ const nock = require('nock');
 
 const { Issuer } = require('../../lib');
 
-const INPUTS = [
-  'https://login.microsoftonline.com/common/v2.0',
-  'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
-];
+const INPUTS = {
+  common: [
+    'https://login.microsoftonline.com/common/v2.0',
+    'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
+  ],
+  consumers: [
+    'https://login.microsoftonline.com/consumers/v2.0',
+    'https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration',
+  ],
+  organizations: [
+    'https://login.microsoftonline.com/organizations/v2.0',
+    'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration',
+  ],
+};
 
 const idToken = 'eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJmb28iLCJhdWQiOiJmb28iLCJpYXQiOjEyMzQ1LCJleHAiOjEyMzQ1LCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZm9vL3YyLjAiLCJ0aWQiOiJmb28ifQ';
 const fail = () => { throw new Error('expected promise to be rejected'); };
 
 describe('Azure AD multi-tenant applications', () => {
-  INPUTS.forEach((input, i) => {
-    it(`changes the "iss" validation when Issuer is discovered ${i + 1}/${INPUTS.length}`, async () => {
-      nock('https://login.microsoftonline.com')
-        .get('/common/v2.0/.well-known/openid-configuration')
-        .reply(200, {
-          issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
+  Object.entries(INPUTS).forEach(([bucket, inputs]) => {
+    inputs.forEach((input) => {
+      it(`changes the "iss" validation when Issuer is discovered (${input})`, async () => {
+        nock('https://login.microsoftonline.com')
+          .get(`/${bucket}/v2.0/.well-known/openid-configuration`)
+          .reply(200, {
+            issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
+          });
+
+        const aad = await Issuer.discover(input);
+        const client = new aad.Client({ client_id: 'foo' });
+        return client.validateIdToken(idToken).then(fail).catch((err) => {
+          expect(err.message).to.match(/^id_token expired, now \d+, exp 12345$/);
         });
+      });
+    });
 
-      const aad = await Issuer.discover(input);
+    it('no changes to "iss" validation when Issuer is constructed', async () => {
+      const aad = new Issuer({
+        issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
+      });
       const client = new aad.Client({ client_id: 'foo' });
       return client.validateIdToken(idToken).then(fail).catch((err) => {
-        expect(err.message).to.match(/^id_token expired, now \d+, exp 12345$/);
+        expect(err.message).to.eql('unexpected iss value, expected https://login.microsoftonline.com/{tenantid}/v2.0, got: https://login.microsoftonline.com/foo/v2.0');
       });
     });
   });
-
-  it('no changes to "iss" validation when Issuer is constructed', async () => {
-    const aad = new Issuer({
-      issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
-    });
-    const client = new aad.Client({ client_id: 'foo' });
-    return client.validateIdToken(idToken).then(fail).catch((err) => {
-      expect(err.message).to.eql('unexpected iss value, expected https://login.microsoftonline.com/{tenantid}/v2.0, got: https://login.microsoftonline.com/foo/v2.0');
-    });
-  });
 });