Problem using microsoft oauth2 as provider because of dynamic issuer #166
Comments
|
I never tested with common, only with a specific tenant. There you must use the tenant specific endpoints all over or set |
|
Hey thank you for the fast response. I was not able to get to a successful configuration where discovery works. So you mean that I have to set the issuer to the url with my tenant id? I was reading through the documentation and every documents I found uses the common one as this specifies if users can authenticate with private accounts or not. But I will give it a try. |
|
If i set the tenant id in the issuer field and discovery to true, than nobody except permitted users can login. |
|
Or is this a problem related to the gem |
|
I have seen in the openid_connect gem that there is a way when initializing OpenID to ignore the issuer validation. Maybe this is a way in this specific scenario if this gem here supports this flag. Now I have monkey patched the validation from exact match to regex. Not ideal but do the job without loosing security |
|
@FLX-0x00 I'm using this gem as part of GitLab since about a year with Entra ID and before with another IdP, works smooth. As written above: |
|
I have a very similar problem - I also need to use the common endpoint ( When looking at the discovery document from Azure, the issuer gets specified as @bufferoverflow I am open for any suggestions, but I honestly do not see a way to use this gem with users from multiple Azure/Entra Id tenants. Or is there anything else I could do or try to make it work? My config (also GitLab): gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"label" => "Microsoft Entra ID",
"args" => {
"name" => "azure_oauth2",
"strategy_class" => "OmniAuth::Strategies::OpenIDConnect",
"issuer" => "https://login.microsoftonline.com/common/v2.0",
"discovery" => true,
"scope" => ["openid", "profile", "email"],
"pkce" => true,
"uid_field" => "oid",
"client_options" => {
"identifier" => "...",
"secret" => "...",
"redirect_uri" => "https://gitlab.example.com/users/auth/azure_oauth2/callback",
}
}
}
]In case anybody else has the same problem and sees this issue: I had to resort to use |
|
@felixstorm Totally forgot to mention this but yes - we have switched to |
|
@felixstorm as I see within https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration the {tenantid} placeholder is used. So for this case please try with the config mentioned within the issue description or below, but set your tenantid within the issuer as omniauth_provider :openid_connect, {
name: :microsoft,
scope: [:openid, :email],
issuer: 'https://login.microsoftonline.com/810017af-c1d4-4a3b-9e18-.../v2.0', # use your tenant id
client_options: {
host: 'login.microsoftonline.com',
authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
identifier: Rails.application.credentials[:identifier],
secret: Rails.application.credentials[:oauth_secret],
redirect_uri: Rails.application.config.microsoft_openid_connect_redirect_uri
}
}I suspect autodiscovery does not work as the issuer is tenant specific. |
|
ok, @felixstorm @FLX-0x00 I just verified and it works smooth. Here is the config I used to verify within my gdk: - { name: "openid_connect_aad",
label: "Microsoft Entra ID",
args: {
name: "openid_connect_aad",
strategy_class: "OmniAuth::Strategies::OpenIDConnect",
scope: ["openid","profile","email"],
response_type: "code",
issuer: "https://login.microsoftonline.com/*****************************************/v2.0",
client_auth_method: "query",
client_options: {
identifier: "*****************************************",
secret: "*****************************************",
authorization_endpoint: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
token_endpoint: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo",
jwks_uri: "https://login.microsoftonline.com/common/discovery/v2.0/keys",
end_session_endpoint: "https://login.microsoftonline.com/common/oauth2/v2.0/logout",
redirect_uri: "https://example.com/users/auth/openid_connect_aad/callback"
}
}
}I tested |
|
Thanks for clarifying and for your time on this! I can confirm, this configuration works as expected. So maybe a thing for the docs. Happy coding! |
|
Unfortunately, it does still not work for me. It works fine as long as the user that logs in belongs to the same tenant that has been specified as @bufferoverflow, @FLX-0x00 Have both of you also tried to log in with a user from a different tenant successfully? |
|
@felixstorm I just had a personal account and one from the tenant to test. Could you maybe share the id_token received for both use-cases? Maybe we must tweak https://github.com/omniauth/omniauth_openid_connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L470 as we do within #179 |
|
Thanks for reopening! I will try to provide both tokens over the weekend - do you need the full signed token in base64 format or would the JSON content be sufficient? |
|
@felixstorm maybe add a |
|
@bufferoverflow Here we go - a user from the same tenant that the application has been registered in: And now another user from a different tenant: My config was identical to the one you posted here apart from the callback uri, i.e. the issuer in the config is P.S.: |
|
@felixstorm thanks for the details! Could you please set the new option |
|
There is an issuer check: https://github.com/nov/openid_connect/blob/main/lib/openid_connect/response_object/id_token.rb#L26 so either pass the issuer we received to ignore it or add a list of valid issuers as config options should do the trick |
Just commenting out that line made it work (I did not have to update the gem and/or set the |
|
see also nov/openid_connect#95 |
I recommend to set Regarding
|
This is especially useful when using Microsoft Entra ID common endpoint, as the issuer could be from another tenant. When using this parameter it is recommended to set the audience as this stays the same even if the issuer is from another tenant. Related omniauth/omniauth_openid_connect#166 Closes nov#95
This is especially useful when using Microsoft Entra ID common endpoint, as the issuer could be from another tenant. When using this parameter it is recommended to set the audience as this stays the same even if the issuer is from another tenant. Related omniauth/omniauth_openid_connect#166 Closes nov#95
Hey community / maintainers - Want to reach you out because I want to implement Microsoft Entra with OpenID Connect into my Rails App using the gem omniauth_openid_connect with rodauth-omniauth.
I have come up with the following config
The authentication works until the callback phase:
The corresponding code is in
vendor/bundle/ruby/3.2.0/gems/openid_connect-2.2.0/lib/openid_connect/response_object/id_token.rb#L26After debugging I noticed that the issuer that is expected changes if another account (of another org for example) logs into (this should be the
tenantid. The Microsoft documentation https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration says, that the issuer is determined by thetenantidof the users account. This is where I hopefully overthinked or overlooked something. How can I get a dynamic issuer value to my provider config? Hope anyone can understand the current issue.Cheers!
The text was updated successfully, but these errors were encountered: