lua-resty-openidc
lua-resty-openidc copied to clipboard
Published
20 hours ago •
zmartzone
zmartzone
Multi-tenant "issuer in id_token is not equal to the issuer from the discovery document"
I have lua-resty-openidc configured and working fine with the config:
local opts = {
redirect_uri_path = "http://localhost/return",
discovery = "https://login.microsoftonline.com/aaa/v2.0/.well-known/openid-configuration",
client_id = "xxx",
client_secret = "yyy",
scope = "openid",
}
res, err = require("resty.openidc").authenticate(opts)
But my Azure application is configured for multi-tenant authentication. When I try using the multi-tenant organizations discovery URL like:
local opts = {
redirect_uri_path = "http://localhost/return",
discovery = "https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration",
client_id = "xxx",
client_secret = "yyy",
scope = "openid",
}
res, err = require("resty.openidc").authenticate(opts)
I get an error message: issuer in id_token is not equal to the issuer from the discovery document
I can work around this by patching openidc.lua- changing:
-- check issuer
if opts.discovery.issuer ~= id_token.iss then
log(ERROR, "issuer \"", id_token.iss, "\" in id_token is not equal to the issuer from the discovery document \"", opts.discovery.issuer, "\"")
return false
end
To:
-- check issuer
if opts.discovery.issuer ~= "https://login.microsoftonline.com/{tenantid}/v2.0" and opts.discovery.issuer ~= id_token.iss then
log(ERROR, "issuer \"", id_token.iss, "\" in id_token is not equal to the issuer from the discovery document \"", opts.discovery.issuer, "\"")
return false
end
But I wonder if multi-tenant configuration is supported and/or if there's a better way?
If this solution is good then shall I raise a pull request?
Thanks
