From 1b47b891662179e76db91bb71297feab5b52ad18 Mon Sep 17 00:00:00 2001
From: Martin Pauly <martin@exnaton.com>
Date: Thu, 18 Jul 2024 09:38:09 +0200
Subject: [PATCH] Patch behavior of microsoft provider to work around OIDC
 incompatibility of Microsoft Entra

In case you have a "custom signing key" enabled on AWS Entra, you'll need to append '?appid=APPID'
to the JWKS URL to get a list of the appropriate keys. This behavior renders Entra non-compliant
with the OIDC spec. This patch patches Ory's Microsoft Provider to work with MS Entra despite this
non-compliance with the spec.
---
 selfservice/strategy/oidc/provider_microsoft.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/selfservice/strategy/oidc/provider_microsoft.go b/selfservice/strategy/oidc/provider_microsoft.go
index d69206ec4d87..37c442df4f98 100644
--- a/selfservice/strategy/oidc/provider_microsoft.go
+++ b/selfservice/strategy/oidc/provider_microsoft.go
@@ -69,12 +69,19 @@ func (m *ProviderMicrosoft) Claims(ctx context.Context, exchange *oauth2.Token,
 		return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("TenantID claim is not a valid UUID: %s", err))
 	}
 
-	issuer := "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0"
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, m.reg.HTTPClient(ctx).HTTPClient)
-	p, err := gooidc.NewProvider(ctx, issuer)
-	if err != nil {
-		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
+	// issuer := "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0"
+	// ctx = context.WithValue(ctx, oauth2.HTTPClient, m.reg.HTTPClient(ctx).HTTPClient)
+	// p, err := gooidc.NewProvider(ctx, issuer)
+	// if err != nil {
+	// 	return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
+	// }
+	config := gooidc.ProviderConfig{
+		IssuerURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0",
+		AuthURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/oauth2/v2.0/authorize",
+		TokenURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/oauth2/v2.0/token",
+		JWKSURL: "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/discovery/v2.0/keys?appid=" + m.config.ClientID,
 	}
+	p := config.NewProvider(ctx)
 
 	claims, err := m.verifyAndDecodeClaimsWithProvider(ctx, p, raw)
 	if err != nil {