Change validation of OIDC token issuer to support parameterized queries #818
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
On a side note, I also had to specify a different method for "OpenID Connect validation configuration type". The default ".well-known/openid-configuration_url" option would result in a failure as this method involves some comparison of the issuer again. I chose jwk_uri, but I suppose client_secret should be an equally viable alternative. Combining any of these with my patch, allowed me to use Entra ID's OIDC SSO in Multitenant mode. |
sp193
force-pushed
the
oidc-iss-wildcards
branch
from
51d9f23 to
b0232ca
Compare
…es. To support IDP like Entra ID in Multitenant mode, whereby the iss may vary.
sp193
force-pushed
the
oidc-iss-wildcards
branch
from
b0232ca to
14843ed
Compare
maximthomas
approved these changes
Dec 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing OIDC SSO support works okay, but it is incompatible with Entra ID's Multitenant mode. This is the same problem as KeyCloak's keycloak/keycloak#28662
As documented by Microsoft, the iss (issuer) field will contain the real tenant ID, while the issuer indicated in the .well-known document looks like this:
However! The iss claim of the JWK will appear like this:
So if we simply entered the generic issuer value into AM for validating the JWK issuer, it'll result in a failure as the existing check just does a string comparison. However, we are required by the OIDC specification to validate the issuer.
My suggestion to increase flexibility in this area, is to allow the issuer field to contain references to values within the claims. For example, entering this:
...will result in AM replacing {tid} with the tid (tenant ID) claim's value during the validation step:
Frankly, I do not know what Forgerock has done about this limitation, in recent AM versions. But I hope this modification would be acceptable as the OIDC specification specifies:
...and Microsoft says: