Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidcauthextension - do not verify issuer and issue_url match (follow up) #37794

Open
hwrdthdck opened this issue Feb 8, 2025 · 2 comments
Open

oidcauthextension - do not verify issuer and issue_url match (follow up) #37794

hwrdthdck opened this issue Feb 8, 2025 · 2 comments
Labels
enhancement New feature or request extension/oidcauth needs triage New item requiring triage

Comments

@hwrdthdck
Copy link

hwrdthdck commented Feb 8, 2025
edited
Loading

Component(s)

extension/oidcauth

Is your feature request related to a problem? Please describe.

I work in environments where the issuer_url string does not match the issue value in the well-known configuration file. The example below shows how the WebURL uses the fqdn but the issuer configured at the time uses the hostname. Currently, oidcauthextension requires both values to match in order to work. I am requesting that the dependency for both values to match be removed.

This IS NOT the same request as #36568

WebURL: https://myidentity.domain.com

"issuer": "myidentity",
"jwks_uri": "https://myidentity.domain.com/api/jwks",
"token_endpoint": "https://myidentity.domain.com/api/OAuth/Token",
"grant_types_supported": [
"client_credentials"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
]

Describe the solution you'd like

Add an exception to ignore whether or not Issuer and issue_url match.

An example would be:

ignore_issuer_match: true

Describe alternatives you've considered

As shown in the Additional Context field, allow verification to be based on fqdn or hostname, remove the protocol (https://) from the verification.

Additional context

Error: failed to start extensions: failed to get configuration from the auth server: oidc: issuer did not match the issuer returned by provider, expected "https://MySecurity" got "MySecurity"
@hwrdthdck hwrdthdck added enhancement New feature or request needs triage New item requiring triage labels Feb 8, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 8, 2025

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot mentioned this issue Feb 11, 2025
Open
@jpkrohling jpkrohling mentioned this issue Feb 12, 2025
Closed
@github-actions github-actions bot mentioned this issue Feb 18, 2025
Open
@github-actions github-actions bot mentioned this issue Feb 25, 2025
Open
@szuler
Copy link

szuler commented Feb 27, 2025
edited
Loading

I would like to add one more thing to this issue.
We are using Microsoft Entra ID for authentication where open ID is supported, but we are using custom flows by using policies, where our Open ID configuration is accessible at different address then is available within issuer field.
Our address for open ID configuration is available at address based on schema:
https://custom-domain-name/your-B2C-tenant-name.onmicrosoft.com/policy/v2.0/.well-known/openid-configuration
When we set issuer_url: https://custom-domain-name/your-B2C-tenant-name.onmicrosoft.com/policy/v2.0, we get an error "oidc: issuer did not match the issuer returned by provider", because issuer is set to: https://custom-domain-name/your-B2C-tenant-name.onmicrosoft.com/v2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request extension/oidcauth needs triage New item requiring triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szuler @hwrdthdck