8000 Quirk for Dynamic (Tenant) based issuer of Microsoft Entra ID · Issue #401 · erlef/oidcc · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Quirk for Dynamic (Tenant) based issuer of Microsoft Entra ID #401
@MrYawe

Description

@MrYawe

Description

Using oidcc 3.2.5 and oidcc_plug 0.2.0-beta.1.

I'm trying to set up the OpenID Connect flow for Microsoft using the https://login.microsoftonline.com/common/v2.0 issuer.

Microsoft is known to not be compliant with the spec because the issuer in their OpenID configuration is https://login.microsoftonline.com/{tenantid}/v2.0.

Issue 1: issuer_mismatch when loading configuration

The first issue I encountered was when starting the configuration worker:

10:08:28.852 [error] GenServer Parrot.MicrosoftOpenIdProvider terminating
** (stop) {:configuration_load_failed, {:issuer_mismatch, "https://login.microsoftonline.com/{tenantid}/v2.0"}}
Last message: {:continue, :load_configuration}

But I found the allow_issuer_mismatch quirk to disable this check ✅ .

Issue 2: failed pkce challenge

In my callback I had this error:

{:error,
 {:http_error, 400,
  %{
    "correlation_id" => "1bd0c1fc-15f1-4a2e-bf7f-f5ced1393473",
    "error" => "invalid_grant",
    "error_codes" => [501481],
    "error_description" => "AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request. Trace ID: 97b61674-2c4d-4ce2-91a1-cc9f06fe6200 Correlation ID: 1bd0c1fc-15f1-4a2e-bf7f-f5ced1393473 Timestamp: 2024-11-14 09:19:56Z",
    "timestamp" => "2024-11-14 09:19:56Z",
    "trace_id" => "97b61674-2c4d-4ce2-91a1-cc9f06fe6200"
  }}}

Since I'm using the Oidcc.Plug.Authorize, the pkce challenge is enabled by default and in the Microsoft provider configuration document_overrides is undefined.
I found another quirk to override to provider configuration and make it works ✅. Here is my ProviderConfigurationWorker configuration at this point:

Supervisor.child_spec(
          {ProviderConfigurationWorker,
           %{
             issuer: "https://login.microsoftonline.com/common/v2.0",
             name: Parrot.MicrosoftOpenIdProvider,
             provider_configuration_opts: %{
               quirks: %{
                 allow_issuer_mismatch: true,
                  document_overrides: %{"code_challenge_methods_supported" => ["S256", "plain"]}
               }
             }
           }},
          id: :microsoft_open_id_provider
        )

Issue 3: iss mismatch in token

This last issue is still unresolved.

{:error,
 {:missing_claim, {"iss", "https://login.microsoftonline.com/{tenantid}/v2.0"},
  %{
    "iss" => "https://login.microsoftonline.com/47271ac9-8ccd-4488-8a9f-59e76664581f/v2.0",
    "tid" => "47271ac9-8ccd-4488-8a9f-59e76664581f",
    ...
  }}}

When validating the token, the iss doesn't match because the {tenantid} in the iss claim is replaced by the actual tenant id value found in the tid claim.

Is there another quick I can use here?

Here is the full oidcc_plug configuration I use:

@base_config [
    provider: Parrot.MicrosoftOpenIdProvider,
    client_id: &__MODULE__.client_id/0,
    client_secret: &__MODULE__.client_secret/0,
    redirect_uri: &__MODULE__.callback_uri/0
  ]

  @authorize_config [
    scopes: ["openid", "profile", "offline_access", "User.Read"],
    url_extension: [{"response_mode", "query"}, {"prompt", "select_account"}]
  ]

  @callback_config [retrieve_userinfo: false]

  plug(
    Authorize,
    @base_config ++ @authorize_config
    when action in [:authorize]
  )

  plug(
    AuthorizationCallback,
    @base_config ++ @callback_config
    when action in [:callback]
  )

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0