From 270a439c01b0ea07f7e8205c4f83bfb5ef863b4c Mon Sep 17 00:00:00 2001
From: Georg von Kries <georg.von.kries@creativbox.net>
Date: Fri, 1 Dec 2023 14:09:57 +0100
Subject: [PATCH] Fixes Microsoft Entra ID authentication for multi-tenant app
 registrations by adding missing token validation.

Fixes #14802
---
 .../Configuration/OpenIdConnectOptionsConfiguration.cs         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs
index 0d523f8fac98..38731df0a343 100644
--- a/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs
+++ b/src/OrchardCore.Modules/OrchardCore.Microsoft.Authentication/Configuration/OpenIdConnectOptionsConfiguration.cs
@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Web;
+using Microsoft.IdentityModel.Validators;
 using OrchardCore.Microsoft.Authentication.Settings;
 using MicrosoftIdentityDefaults = Microsoft.Identity.Web.Constants;
 
@@ -38,7 +39,7 @@ public void Configure(string name, OpenIdConnectOptions options)
             options.SignInScheme = "Identity.External";
             options.UseTokenLifetime = true;
             options.SaveTokens = _azureADSettings.SaveTokens;
-
+            options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(options.Authority, options.Backchannel).Validate;
         }
 
         public void Configure(OpenIdConnectOptions options) => Debug.Fail("This infrastructure method shouldn't be called.");