Add ProviderMetadata::discover_with_options and "common" Entra example #183
+253
−3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#179 handles the case for an Entra application that allows signins from a single tenant. For Entra applications that allow signins from personal and enterprise accounts, the
https://login.microsoftonline.com/common/v2.0
issuer is used which returns a metadata document withissuer
set tohttps://login.microsoftonline.com/{tenantid}/v2.0
.This PR adds
ProviderMetadata::discover_with_options
andProviderMetadata::discover_async_with_options
to disable theissuer
validation required by the OIDC spec. I think this is more discoverable than the proposed route in #122 of wrapping http_client to munge the response.In the example
require_issuer_match
is disabled on theIdTokenVerifier
because the ID token has theiss
claim set with the specific tenant ID of the account which is not a static value.