Azure AD v2.0 support

[pborzenkov]

EDIT: sorry, filed it here instead of coreos/go-oidc by mistake

Azure AD v2.0 doesn't strictly follow OpenID connect spec and returns malformed issuer in '.well-known/openid-configuration' response:

$ http https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration | jq .issuer "https://login.microsoftonline.com/{tenantid}/v2.0"

As per the documentation, the following values are accepted as tenant id:

common - Users with both a personal Microsoft account and a work or school account from Azure Active Directory (Azure AD) can sign in to the application.

organizations - Only users with work or school accounts from Azure AD can sign in to the application.

consumers - Only users with a personal Microsoft account can sign in to the application.

8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com - Only users with a work or school account from a specific Azure AD tenant can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used.

Obviously, the response from Azure AD doesn't follow the spec and Dex can't work with it.
But I'd very much like to workaround this. I've seen coreos/go-oidc#121 and I'm not sure that that was the correct way to handle it, as the GUID used there is for personal accounts only. We'd like to support both personal and business/school accounts as well.

Will you accept the patch that adds optional options to NewProvider (will not break API) to disable Issuer checking?

[pborzenkov]

Here is the full dump of openid-configuration endpoint:

$ http https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
{
  "authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/logout",
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "cloud_instance_host_name",
    "cloud_graph_host_name",
    "msgraph_host",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "request_uri_parameter_supported": false,
  "tenant_region_scope": null,
  "cloud_instance_name": "microsoftonline.com",
  "cloud_graph_host_name": "graph.windows.net",
  "msgraph_host": "graph.microsoft.com"
}

[pborzenkov]

And here is the issued token:

{
  "ver": "2.0",
  "iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
  "sub": "AAAAAAAAAAAAAAAAAAAAAMOKG2Qk8HAcn6jSOi3FQig",
  "aud": "49ae99a8-9282-41e6-897b-30d36649027d",
  "exp": 1509389256,
  "iat": 1509302556,
  "nbf": 1509302556,
  "name": "Pavel Borzenkov",
  "preferred_username": "pavel.borzenkov",
  "oid": "00000000-0000-0000-2623-fd5b72ed4918",
  "email": "[email protected]",
  "tid": "9188040d-6c67-4c5b-b112-36a304b66dad",
  "aio": "DUYqxcyG3qZpoYXP6M01bMxY3T8VXgJIIJtXESIkIGd7zx*zMI8FImA3y8GtGM6nJXoRPPMPQdYCzUMWHwFE9nWy14*0Ya8h1h1iT741fwS9"
}

GUID for consumers tenant is used to issue the token when I signup with my personal email. I'll try it with my business account later.

[pborzenkov]

So looks like adding options disabling issuer check to NewProvider won't allow me to solve the issue...

[ericchiang]

Just use the URL with your tenant ID

https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0

That URL should work fine. It even implements discovery:

$ curl https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0/.well-known/openid-configuration
{"authorization_endpoint":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/authorize","token_endpoint":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"],"jwks_uri":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/oauth2/v2.0/logout","response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"request_uri_parameter_supported":false,"tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com"}

That being said, I'm open to implementing a proper Azure AD 2.0 connector instead of only supporting it through the OpenID Connect connector. Particularly if we could get an implementation that deals with refresh tokens and groups.

[pborzenkov]

I'll check tomorrow whether this URL works with work account or not (if I'm interpreting the documentation correctly, it shouldn't). And if it does I'll stick to using this URL.
Will report back tomorrow.

[pborzenkov]

As I expected, this approach doesn't work with business accounts.

If I use /common/ tenant id I'm able to login using both my personal and business accounts, but issuers are different. When I logged in with my personal account I got 9188040d-6c67-4c5b-b112-36a304b66dad and when I logged in with my business account I got my company's tenant id.

If I use /9188040d-6c67-4c5b-b112-36a304b66dad/ as an issuer, I don't even have an option to login with my business account. Only personal accounts could be used.

So looks like Azure AD 2.0 doesn't really follow OpenID spec and to support it we either need to implement it as a separate connector or add exceptions for it to go-oidc (definitely not good).

[srenatus]

#1131 merged (👏) -- I suppose this can be closed? 🎉