From 8025a7f2acac826d7e80b4e0fbcbbaa4bd639ed2 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Tue, 17 Oct 2023 16:28:04 -0400
Subject: [PATCH] fix: include `/organizations` in expected issuer exemption
 (#1275)

## What kind of change does this PR introduce?
* The issuer can also be https://login.microsoftonline.com/organizations
for applications processing accounts in any organizational directory
(any Microsoft Entra directory) (see
[here](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant))
* Fixes #1274
---
 internal/api/provider/azure.go | 5 +++--
 internal/api/token_oidc.go     | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/api/provider/azure.go b/internal/api/provider/azure.go
index ecf7a5def..87b2ee805 100644
--- a/internal/api/provider/azure.go
+++ b/internal/api/provider/azure.go
@@ -13,7 +13,8 @@ import (
 	"golang.org/x/oauth2"
 )
 
-const IssuerAzure = "https://login.microsoftonline.com/common/v2.0"
+const IssuerAzureCommon = "https://login.microsoftonline.com/common/v2.0"
+const IssuerAzureOrganizations = "https://login.microsoftonline.com/organizations/v2.0"
 
 // IssuerAzureMicrosoft is the OIDC issuer for microsoft.com accounts:
 // https://learn.microsoft.com/en-us/azure/active-directory/develop/id-token-claims-reference#payload-claims
@@ -61,7 +62,7 @@ func NewAzureProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuth
 	if ext.URL != "" {
 		expectedIssuer = authHost + "/v2.0"
 
-		if !IsAzureIssuer(expectedIssuer) || expectedIssuer == IssuerAzure {
+		if !IsAzureIssuer(expectedIssuer) || expectedIssuer == IssuerAzureCommon || expectedIssuer == IssuerAzureOrganizations {
 			// in tests, the URL is a local server which should not
 			// be the expected issuer
 			// also, IssuerAzure (common) never actually issues any
diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
index 6116e70b4..3c8553f46 100644
--- a/internal/api/token_oidc.go
+++ b/internal/api/token_oidc.go
@@ -51,10 +51,10 @@ func (p *IdTokenGrantParams) getProvider(ctx context.Context, config *conf.Globa
 		issuer = provider.IssuerGoogle
 		acceptableClientIDs = append(acceptableClientIDs, config.External.Google.ClientID...)
 
-	case p.Provider == "azure" || p.Issuer == provider.IssuerAzure:
+	case p.Provider == "azure" || p.Issuer == provider.IssuerAzureCommon || p.Issuer == provider.IssuerAzureOrganizations:
 		cfg = &config.External.Azure
 		providerType = "azure"
-		issuer = provider.IssuerAzure
+		issuer = p.Issuer
 		acceptableClientIDs = append(acceptableClientIDs, config.External.Azure.ClientID...)
 
 	case p.Provider == "facebook" || p.Issuer == provider.IssuerFacebook: