New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core/auth: update to recent go-oidc v3, allow oidc issuer URL override #212
core/auth: update to recent go-oidc v3, allow oidc issuer URL override #212
Conversation
According to the OpenID Connect specs, the /.well-known/openid-configuration should contain an `issuer` field that matches the URL used to fetch the configuration metadata: > The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer. https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig The OIDC solutions provided from Azure for example when using the Azure Active Directory B2C currently doesn't adhere to the OpenID Connect spec and returns a wrong issuer. Since that's something they won't fix that fast (or maybe not even at all) we should introduce a configuration to support overriding the issuer URL. MicrosoftDocs/azure-docs#38427 (comment)
Using the url with |
@bastianccm that's only possible when using Azure Active Directory (login.microsoftonline.com): when using Azure Active Directory B2C (TENANT-XYZ.b2clogin.com) that's still an issue. Example OpenID connect config for B2C containing the wrong issuer: {
- "issuer": "https://fabrikamb2c.b2clogin.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/",
+ "issuer": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/",
"authorization_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/authorize",
"token_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token",
"end_session_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/logout"
} |
I see. Fine for me to merge (need's a rebase because I added a comment to StateEntry 🙄 sorry) |
yeah saw that GitHub did a merge commit. Will do a squash merge anyway so we'll still have a linear history 👌🏻 |
According to the OpenID Connect specs, the /.well-known/openid-configuration should contain an
issuer
field that matches the URL used to fetch the configuration metadata:https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
The OIDC solutions provided from Azure for example when using the Azure Active Directory B2C currently doesn't adhere to the OpenID Connect spec and returns a wrong issuer.
Since that's something they won't fix that fast (or maybe not even at all) we should introduce a configuration to support overriding the issuer URL.
MicrosoftDocs/azure-docs#38427 (comment)
Changes in go-oidc: coreos/go-oidc@v2.0.0...v3.1.0