-
-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strict validation breaks due to Microsoft's OIDC noncompliance #122
Comments
I'm sympathetic to Microsoft's customers' frustrations here while also being annoyed that Microsoft decided to ignore the spec and push this problem to both customers and library maintainers. Since this library focuses on standardized protocols, I think a reasonable goal here is to have escape hatches (but not foot guns) available that allow users to interoperate with Microsoft, but without adding any Microsoft-specific functionality to this crate. A PR adding a working Microsoft code example would be welcomed, though. This means that Microsoft customers should be able to use this crate, but their code may be more verbose than for users of standards-compliant OIDC implementations. Making Microsoft OIDC integrations work out of the box without any extra code is a non-goal of this crate, although community members should feel free to publish a separate crate built on top of this one to improve the ergonomics.
For JWT issuer validation, there are already two escape hatches available:
Discovery validation is a bit trickier, but the |
Thanks for the guidance, I did manage to put together a shim http client as you suggested to fix the issue with discovery validation. As for JWT validation, I'm not sure how the "recommended" escape hatch could be implemented, even by a library that wraps this one, because the client id/secret gets moved into the oidc Client type, and is held there opaque to any API consumers. Since the instantiation of an IdTokenVerifier happens here, there doesn't seem to be a lot that can be done to get around that. As for a Microsoft code example, after circumventing the failing validation checks, I was able to get this crate working with the same overall structure as the Google example, albeit with URLs changed. |
The automatic instantiation happens within the Lines 986 to 1005 in e9b1c53
All of these values are available outside the client, either from users knowing their own client ID and client secret (cloning rather than moving them into the |
LinkedIn's new OIDC implementations seems to adopt a lot of Microsoft's poor behavior regarding OIDC standards, but they also:
It's probably possible to go and work around this using the http shim method, and I've been able to do so to at least reconstruct the id_token and token response to be spec-compliant, but because the incorrect format of |
Hey, You should be able to find it on https://entra.microsoft.com following Edit: |
This library strictly validates responses from the server according to spec in ways that make it incompatible with Microsoft's implementation of OIDC in certain situations due to their refusal to make their implementation spec compliant. Currently the library doesn't allow users to configure the validation strictness, meaning the only way to work around this is to copy the repository locally to selectively ignore validation failures caused by this. It would be helpful if users could configure this to disable the validation to support Microsoft OIDC (Or alternatively, to specify alternate valid fields to provide some level of certainty that the payload is mostly correct).
The two checks that fail are in verification.rs:284 (JWT issuer validation), and discovery.rs:386 (Provider metadata issuer validation).
Based on the responses to the above issue (as well as the age of the issue), I don't think a spec compliant implementation of OIDC should be expected from Microsoft any time soon, and as such it would be helpful to allow for exceptions in this case to be compatible.
The text was updated successfully, but these errors were encountered: