Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-tenant Microsoft Entra ID authentication not working #14802

Closed
gvkries opened this issue Dec 1, 2023 · 1 comment · Fixed by #14803
Closed

Multi-tenant Microsoft Entra ID authentication not working #14802

gvkries opened this issue Dec 1, 2023 · 1 comment · Fixed by #14803
Labels
bug 🐛
Milestone
2.0

Comments

@gvkries
Copy link
Contributor

gvkries commented Dec 1, 2023
edited
Loading

Describe the bug

When using Microsoft Entra ID (AzureAD) authentication with multi-tenancy (i.e. no tenant ID is specified, "common" or "organizations" is used instead), token validation fails during login:

IDX10205: Issuer validation failed because the actual issuer didn't match the valid issuer(s). Issuer: 'System.String (value removed)'. Did not match: validationParameters.ValidIssuer: 'System.String (value removed)' or validationParameters.ValidIssuers: 'System.String (value removed)'

The Orchard documentation explicitly states multi-tenant accounts as supported.

To Reproduce

Steps to reproduce the behavior:

  1. Create an Azure App registration with Supported account types set to Accounts in any organizational directory.
  2. Configure Microsoft Entra ID authentication in Orchard with the application ID only. Set the tenant ID to common instead of the actual tenant.
  3. Try to login by using Microsoft Entra ID.

Expected behavior

Login should work out of the box.

This can easily be fixed by using the AadIssuerValidator that comes with Microsoft.Identity (see https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/ValidatingTokens#dx10205-issuer-validation-failed).

options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(options.Authority, options.Backchannel).Validate;

Additionally, this would allow to use any other Microsoft accounts (e.g. personal Microsoft accounts, Skype, XBox).
@gvkries gvkries changed the title Multi-tenant Microsoft Entry ID authentication not working Multi-tenant Microsoft Entra ID authentication not working Dec 1, 2023
gvkries added a commit to gvkries/OrchardCore that referenced this issue Dec 1, 2023
@gvkries
Fixes Microsoft Entra ID authentication for multi-tenant app registra…
270a439 
…tions by adding missing token validation.

Fixes OrchardCMS#14802
@gvkries gvkries mentioned this issue Dec 1, 2023
Merged
@sebastienros sebastienros added this to the 1.x milestone Dec 14, 2023
@github-actions github-actions bot mentioned this issue Jan 11, 2024
Closed
@Piedone
Copy link
Member

Piedone commented Mar 22, 2024

Very nicely detailed but report!

gvkries added a commit to gvkries/OrchardCore that referenced this issue Apr 2, 2024
@gvkries
Fixes Microsoft Entra ID authentication for multi-tenant app registra…
3511f94 
…tions by adding missing token validation.

Fixes OrchardCMS#14802
gvkries added a commit to gvkries/OrchardCore that referenced this issue Apr 3, 2024
@gvkries
Fixes Microsoft Entra ID authentication for multi-tenant app registra…
eed022d 
…tions by adding missing token validation.

Fixes OrchardCMS#14802
@MikeAlhayek MikeAlhayek modified the milestones: 2.x, 2.0 Sep 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛
Projects
None yet
Milestone
2.0
Development

Successfully merging a pull request may close this issue.

Microsoft Entra ID authentication with multi-tenancy gvkries/OrchardCore
4 participants
@sebastienros @Piedone @gvkries @MikeAlhayek