omniauth_openid_connect icon indicating copy to clipboard operation
omniauth_openid_connect copied to clipboard

Published 20 hours ago verified publisher icon omniauth

Problem using microsoft oauth2 as provider because of dynamic issuer

Open FLX-0x00 opened this issue 1 year ago • 22 comments

Hey community / maintainers - Want to reach you out because I want to implement Microsoft Entra with OpenID Connect into my Rails App using the gem omniauth_openid_connect with rodauth-omniauth.

I have come up with the following config

    omniauth_provider :openid_connect, {
      name: :microsoft,
      scope: [:openid, :email],
      issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0', # not sure - this is my stucking part
      client_options: {
        host: 'login.microsoftonline.com',
        authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
        token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
        userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
        jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
        end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
        identifier: Rails.application.credentials[:identifier],
        secret: Rails.application.credentials[:oauth_secret],
        redirect_uri: Rails.application.config.microsoft_openid_connect_redirect_uri
      }
    }

The authentication works until the callback phase:

02:24:16 web.1  | E, [2023-11-29T02:24:16.168085 #271321] ERROR -- omniauth: (microsoft) Authentication failure! Invalid ID token: Issuer does not match: OpenIDConnect::ResponseObject::IdToken::InvalidIssuer, Invalid ID token: Issuer does not match

The corresponding code is in vendor/bundle/ruby/3.2.0/gems/openid_connect-2.2.0/lib/openid_connect/response_object/id_token.rb#L26

After debugging I noticed that the issuer that is expected changes if another account (of another org for example) logs into (this should be the tenantid. The Microsoft documentation https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration says, that the issuer is determined by the tenantid of the users account. This is where I hopefully overthinked or overlooked something. How can I get a dynamic issuer value to my provider config? Hope anyone can understand the current issue.

Cheers!

FLX-0x00 avatar Nov 29 '23 01:11 FLX-0x00