From eed022d41d63ecac73a27c19cf3261278bd1d698 Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Fri, 1 Dec 2023 14:09:57 +0100 Subject: [PATCH 1/6] Fixes Microsoft Entra ID authentication for multi-tenant app registrations by adding missing token validation. Fixes #14802 --- .../Configuration/OpenIdConnectOptionsConfiguration.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs index 0d523f8fac9..38731df0a34 100644 --- a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs +++ b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs @@ -3,6 +3,7 @@ using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.Extensions.Options; using Microsoft.Identity.Web; +using Microsoft.IdentityModel.Validators; using OrchardCore.Microsoft.Authentication.Settings; using MicrosoftIdentityDefaults = Microsoft.Identity.Web.Constants; @@ -38,7 +39,7 @@ public void Configure(string name, OpenIdConnectOptions options) options.SignInScheme = "Identity.External"; options.UseTokenLifetime = true; options.SaveTokens = _azureADSettings.SaveTokens; - + options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(options.Authority, options.Backchannel).Validate; } public void Configure(OpenIdConnectOptions options) => Debug.Fail("This infrastructure method shouldn't be called."); From 88d528fe60decabf47f2d1d988c1a44d13ce141c Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Wed, 3 Apr 2024 09:50:15 +0200 Subject: [PATCH 2/6] Added documentation. --- .../MicrosoftEntraIDSettings.Edit.cshtml | 2 +- .../Microsoft.Authentication/README.md | 25 ++++++++++++++++--- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml index 971b64c9629..576b84181c7 100644 --- a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml +++ b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml @@ -26,7 +26,7 @@ - @T["The Tenant (Directory) ID found on the Microsoft Entra ID App registration parameters."] + @T["The Tenant (Directory) ID found on the Microsoft Entra ID App registration parameters. For multitenant App registrations, use 'common' or 'organizations'."]
diff --git a/src/docs/reference/modules/Microsoft.Authentication/README.md b/src/docs/reference/modules/Microsoft.Authentication/README.md index 03b1862199f..109de49d6a9 100644 --- a/src/docs/reference/modules/Microsoft.Authentication/README.md +++ b/src/docs/reference/modules/Microsoft.Authentication/README.md @@ -23,7 +23,7 @@ If no value is provided, setup Microsoft Account app to use the default path /si ## Microsoft Entra ID (Azure Active Directory) -Authenticates users with their Microsoft Entra ID Account, like Microsoft work or school accounts. If the site allows to register new users, a local user is created and the Microsoft Entra ID account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. +Authenticates users with their Microsoft Entra ID Account, including Microsoft work, school, and personal accounts (such as Skype, Xbox, Outlook.com). If the site allows to register new users, a local user is created and the Microsoft Entra ID account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. First, you need to create an Microsoft Entra ID app on the [Azure Portal](https://portal.azure.com) for your Microsoft Entra ID tenant. @@ -31,11 +31,11 @@ First, you need to create an Microsoft Entra ID app on the [Azure Portal](https: 2. Open "App registrations" and click "New registration" to start creating a new app registration. 3. Use the following settings: - Name: We suggest the name of your web app, e.g. "My App". This is not the same display name that you need to specify for the login later and it doesn't need to match anything else. - - Supported account types: The feature supports both single and multitenant Microsoft Entra ID, but not personal accounts. + - Supported account types: The feature supports both single and multitenant Microsoft Entra ID, including personal accounts. - Redirect URI: While supposedly optional, you have to specify one for the login flow to work with web apps. Add the URL that will handle Microsoft Entra ID login redirects; by default, this is `/signin-oidc` under your app's root URL, e.g. "" (upon login, users will be redirected to the page they visited previously, this isn't for that). 4. Once the app is created, note the following details of it, as displayed in the Azure Portal, which will be necessary to configure in Orchard Core later: - Application (client) ID - - Directory (tenant) ID + - Directory (tenant) ID (not required for multitenant usage) 5. Configure the rest of the authentication settings of the app under its "Authentication" menu. There, under "Implicit grant and hybrid flows", enable both "Access tokens (used for implicit flows)" and "ID tokens (used for implicit and hybrid flows)". Without these, login will fail with errors. 6. Configure the `email` claim under the "Token configuration" menu. Click "Add optional claim", as "Token type" select "ID", then select "email" and click "Add". Without this, Orchard can't match logins based on the user's email, and thus existing users won't be able to log in. @@ -43,7 +43,7 @@ You are now ready to configure Microsoft Entra ID login in Orchard too. After en - Display Name: The text that will be displayed on the Orchard login screen. We recommend something like "My Company Microsoft account". - AppId: Use the above-mentioned "Application (client) ID" from the Azure Portal. -- TenantId: Use the above-mentioned "Directory (tenant) ID" from the Azure Portal. +- TenantId: Use the above-mentioned "Directory (tenant) ID" from the Azure Portal. For multitenant applications, use 'common' or 'organizations' as noted below. - CallbackPath: We recommend not changing this unless you want to handle the login callback from your custom code, or if the `/signin-oidc` path is used by something else. This is the path within the application's base path where the user-agent will be returned after login. The middleware will process this request when it arrives. If no value is provided, the default `/signin-oidc` is used, which requires no further setup. If you change this, you will also need to use it under "Redirect URIs" of the app in the Azure Portal. Now, the login screen will display a button for Microsoft Entra ID login: @@ -52,6 +52,23 @@ Now, the login screen will display a button for Microsoft Entra ID login: Existing users who have the same e-mail address in Orchard and in Microsoft Entra ID will be able to log in and attach their two accounts. New users will be able to register if registration is otherwise enabled and set up, see below. +### Multitenant App registrations + +This feature supports either single-tenant or multi-tenant app registrations. Be aware of the audiences allowed to authenticate. + +- Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant. +- Multi-tenant apps are available to users in both their home tenant and other tenants. + +When you register and configure an application, you can configure it to be single-tenant or multi-tenant by setting the audience and tenant ID as follows: + +| Audience | Single/multi-tenant | Tenant ID | Who can sign in | +|----------|---------------------|-----------|-----------------| +| Accounts in your directory only | Single tenant | Use the "Directory (tenant) ID" from the Azure Portal. | All user and guest accounts in your directory can authenticate. Use this option if your target audience is internal to your organization. | +| Accounts in any Microsoft Entra directory | Multi-tenant | `organizations` | All users and guests with a work or school account from Microsoft can authenticate. This includes schools and businesses that use Microsoft 365. Use this option if your target audience is business or educational customers. | +| Accounts in any Microsoft Entra directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | `common` | All users with a work or school, or personal Microsoft account can authenticate. It includes schools and businesses that use Microsoft 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft accounts. | + +> When configuring your application for multitenancy, it's crucial to be aware of the security implications. Allowing users from any Microsoft Entra directory and personal Microsoft accounts to authenticate can significantly broaden the potential user base. + ### Recipe Step The Microsoft Entra ID can be set during recipes using the settings step. Here is a sample step: From 336235848fa4b282e6f768b0eabee38c613e2384 Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Wed, 3 Apr 2024 15:59:05 +0200 Subject: [PATCH 3/6] Update src/docs/reference/modules/Microsoft.Authentication/README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- src/docs/reference/modules/Microsoft.Authentication/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/docs/reference/modules/Microsoft.Authentication/README.md b/src/docs/reference/modules/Microsoft.Authentication/README.md index 109de49d6a9..9a5c3ede810 100644 --- a/src/docs/reference/modules/Microsoft.Authentication/README.md +++ b/src/docs/reference/modules/Microsoft.Authentication/README.md @@ -67,7 +67,8 @@ When you register and configure an application, you can configure it to be singl | Accounts in any Microsoft Entra directory | Multi-tenant | `organizations` | All users and guests with a work or school account from Microsoft can authenticate. This includes schools and businesses that use Microsoft 365. Use this option if your target audience is business or educational customers. | | Accounts in any Microsoft Entra directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | `common` | All users with a work or school, or personal Microsoft account can authenticate. It includes schools and businesses that use Microsoft 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft accounts. | -> When configuring your application for multitenancy, it's crucial to be aware of the security implications. Allowing users from any Microsoft Entra directory and personal Microsoft accounts to authenticate can significantly broaden the potential user base. +!!! warning + When configuring your application for multitenancy, it's crucial to be aware of the security implications. Allowing users from any Microsoft Entra directory and personal Microsoft accounts to authenticate can significantly broaden the potential user base. ### Recipe Step From de8707bf453c99f51eca3f5d0e53ab04937295e3 Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Wed, 3 Apr 2024 17:19:49 +0200 Subject: [PATCH 4/6] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- .../Views/MicrosoftEntraIDSettings.Edit.cshtml | 2 +- .../reference/modules/Microsoft.Authentication/README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml index 576b84181c7..b77eed3f542 100644 --- a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml +++ b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Views/MicrosoftEntraIDSettings.Edit.cshtml @@ -26,7 +26,7 @@ - @T["The Tenant (Directory) ID found on the Microsoft Entra ID App registration parameters. For multitenant App registrations, use 'common' or 'organizations'."] + @T["The Tenant (Directory) ID found on the Microsoft Entra ID App registration parameters. For multi-tenant App registrations, use 'common' or 'organizations'."]
diff --git a/src/docs/reference/modules/Microsoft.Authentication/README.md b/src/docs/reference/modules/Microsoft.Authentication/README.md index 9a5c3ede810..019ff89c5b8 100644 --- a/src/docs/reference/modules/Microsoft.Authentication/README.md +++ b/src/docs/reference/modules/Microsoft.Authentication/README.md @@ -43,7 +43,7 @@ You are now ready to configure Microsoft Entra ID login in Orchard too. After en - Display Name: The text that will be displayed on the Orchard login screen. We recommend something like "My Company Microsoft account". - AppId: Use the above-mentioned "Application (client) ID" from the Azure Portal. -- TenantId: Use the above-mentioned "Directory (tenant) ID" from the Azure Portal. For multitenant applications, use 'common' or 'organizations' as noted below. +- TenantId: Use the above-mentioned "Directory (tenant) ID" from the Azure Portal. For multi-tenant applications, use 'common' or 'organizations' as noted below. - CallbackPath: We recommend not changing this unless you want to handle the login callback from your custom code, or if the `/signin-oidc` path is used by something else. This is the path within the application's base path where the user-agent will be returned after login. The middleware will process this request when it arrives. If no value is provided, the default `/signin-oidc` is used, which requires no further setup. If you change this, you will also need to use it under "Redirect URIs" of the app in the Azure Portal. Now, the login screen will display a button for Microsoft Entra ID login: @@ -52,7 +52,7 @@ Now, the login screen will display a button for Microsoft Entra ID login: Existing users who have the same e-mail address in Orchard and in Microsoft Entra ID will be able to log in and attach their two accounts. New users will be able to register if registration is otherwise enabled and set up, see below. -### Multitenant App registrations +### Multi-tenant App registrations This feature supports either single-tenant or multi-tenant app registrations. Be aware of the audiences allowed to authenticate. @@ -63,7 +63,7 @@ When you register and configure an application, you can configure it to be singl | Audience | Single/multi-tenant | Tenant ID | Who can sign in | |----------|---------------------|-----------|-----------------| -| Accounts in your directory only | Single tenant | Use the "Directory (tenant) ID" from the Azure Portal. | All user and guest accounts in your directory can authenticate. Use this option if your target audience is internal to your organization. | +| Accounts in your directory only | Single tenant | Use the "Directory (tenant) ID" from the Azure Portal. | All user and guest accounts in your directory can authenticate. Use this option if your target audience is internal to your organization. | | Accounts in any Microsoft Entra directory | Multi-tenant | `organizations` | All users and guests with a work or school account from Microsoft can authenticate. This includes schools and businesses that use Microsoft 365. Use this option if your target audience is business or educational customers. | | Accounts in any Microsoft Entra directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | `common` | All users with a work or school, or personal Microsoft account can authenticate. It includes schools and businesses that use Microsoft 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft accounts. | From 042349552e6ed5db79919f2b2baca127164372a9 Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Wed, 3 Apr 2024 17:28:56 +0200 Subject: [PATCH 5/6] Update README.md --- src/docs/reference/modules/Microsoft.Authentication/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/docs/reference/modules/Microsoft.Authentication/README.md b/src/docs/reference/modules/Microsoft.Authentication/README.md index 019ff89c5b8..c4128c8d93a 100644 --- a/src/docs/reference/modules/Microsoft.Authentication/README.md +++ b/src/docs/reference/modules/Microsoft.Authentication/README.md @@ -8,6 +8,8 @@ Authenticates users with their Microsoft Account. If the site allows to register new users, a local user is created and the Microsoft Account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. +> Note: If you want to allow users to authenticate with their Microsoft account, but also with work or school accounts, use multi-tenant Entra ID authentication described below instead. + You should create an app in the [Application Registration Portal](https://apps.dev.microsoft.com) and add the web platform. Give a name for your App, create a secret that you will use it as AppSecret in Orchard, and allow the implicit flow. The default callback at Orchard is [tenant]/signin-microsoft or can be set as needed. @@ -25,6 +27,8 @@ If no value is provided, setup Microsoft Account app to use the default path /si Authenticates users with their Microsoft Entra ID Account, including Microsoft work, school, and personal accounts (such as Skype, Xbox, Outlook.com). If the site allows to register new users, a local user is created and the Microsoft Entra ID account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. +> Note: If you only want to allow Microsoft Accounts, use the Microsoft Account feature described above. + First, you need to create an Microsoft Entra ID app on the [Azure Portal](https://portal.azure.com) for your Microsoft Entra ID tenant. 1. Go to the "Azure Active Directory" menu, which will open your organization's Active Directory settings. From a4e866a3beea391b14a735d3f136d79c7764f0f9 Mon Sep 17 00:00:00 2001 From: Georg von Kries Date: Wed, 3 Apr 2024 19:17:51 +0200 Subject: [PATCH 6/6] Update README.md --- .../reference/modules/Microsoft.Authentication/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/docs/reference/modules/Microsoft.Authentication/README.md b/src/docs/reference/modules/Microsoft.Authentication/README.md index c4128c8d93a..7feeae4befd 100644 --- a/src/docs/reference/modules/Microsoft.Authentication/README.md +++ b/src/docs/reference/modules/Microsoft.Authentication/README.md @@ -8,7 +8,8 @@ Authenticates users with their Microsoft Account. If the site allows to register new users, a local user is created and the Microsoft Account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. -> Note: If you want to allow users to authenticate with their Microsoft account, but also with work or school accounts, use multi-tenant Entra ID authentication described below instead. +!!! note + If you want to allow users to authenticate with their Microsoft account, but also with work or school accounts, use multi-tenant Entra ID authentication described below instead. You should create an app in the [Application Registration Portal](https://apps.dev.microsoft.com) and add the web platform. @@ -27,7 +28,8 @@ If no value is provided, setup Microsoft Account app to use the default path /si Authenticates users with their Microsoft Entra ID Account, including Microsoft work, school, and personal accounts (such as Skype, Xbox, Outlook.com). If the site allows to register new users, a local user is created and the Microsoft Entra ID account is linked. If a local user with the same email is found, then the external login is linked to that account, after authenticating. -> Note: If you only want to allow Microsoft Accounts, use the Microsoft Account feature described above. +!!! note + If you only want to allow Microsoft Accounts, use the Microsoft Account feature described above. First, you need to create an Microsoft Entra ID app on the [Azure Portal](https://portal.azure.com) for your Microsoft Entra ID tenant.