Skip to content

Commit

Permalink
Patch behavior of microsoft provider to work around OIDC incompatibil…
Browse files Browse the repository at this point in the history 
…ity of Microsoft Entra

In case you have a "custom signing key" enabled on AWS Entra, you'll need to append '?appid=APPID'
to the JWKS URL to get a list of the appropriate keys. This behavior renders Entra non-compliant
with the OIDC spec. This patch patches Ory's Microsoft Provider to work with MS Entra despite this
non-compliance with the spec.
  • Loading branch information
@mpauly-exnaton
mpauly-exnaton committed Jul 18, 2024
1 parent f47675b commit 1b47b89
Showing 1 changed file with 12 additions and 5 deletions.
17 changes: 12 additions & 5 deletions selfservice/strategy/oidc/provider_microsoft.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,19 @@ func (m *ProviderMicrosoft) Claims(ctx context.Context, exchange *oauth2.Token,
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("TenantID claim is not a valid UUID: %s", err))
}

issuer := "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0"
ctx = context.WithValue(ctx, oauth2.HTTPClient, m.reg.HTTPClient(ctx).HTTPClient)
p, err := gooidc.NewProvider(ctx, issuer)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
// issuer := "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0"
// ctx = context.WithValue(ctx, oauth2.HTTPClient, m.reg.HTTPClient(ctx).HTTPClient)
// p, err := gooidc.NewProvider(ctx, issuer)
// if err != nil {
// return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
// }
config := gooidc.ProviderConfig{
IssuerURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0",
AuthURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/oauth2/v2.0/authorize",
TokenURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/oauth2/v2.0/token",
JWKSURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/discovery/v2.0/keys?appid=" + m.config.ClientID,
}
p := config.NewProvider(ctx)

claims, err := m.verifyAndDecodeClaimsWithProvider(ctx, p, raw)
if err != nil {
Expand Down

0 comments on commit 1b47b89

Please sign in to comment.