Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SecurityTokenInvalidIssuerException with OpenID Connect and the Azure AD "common" endpoint

See original GitHub issue

When you use OpenID Connect against Azure AD’s “common” endpoint, configuring https://login.microsoftonline.com/common/v2.0 as the OpenIdConnectOptions.Authority value, the metadata document will provide an issuer value of https://login.microsoftonline.com/{tenantid}/v2.0. Note the “{tenantid}” placeholder.

Within an actual ID token, the issuer value no longer contains that placeholder, but the actual tenant ID determined by the user logging in (e.g., https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0). This causes the issuer validation in Microsoft.IdentityModel.Tokens to fail.

I guess Azure AD decided to return an issuer with a non-standard (?) placeholder here, but shouldn’t the code in azure-activedirectory-identitymodel-extensions-for-dotnet be able to deal with such Azure AD specifics? If so, I’d consider this a bug.

Also, the exception message is IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'. Which is not at all helpful, but I’ll open a separate issue for this.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:7

Top GitHub Comments

2reactions

jennyf19commented, Oct 22, 2021

This issue will be resolved when Microsoft.IdentityModel picks up the AadIssuerValidator from Microsoft.Identity.Web. We are in the process of moving it over now. Should be in next IdentityModel release hopefully.

0reactions

fschmiedcommented, Nov 12, 2021

@jennyf19 Thanks for the pointer (and sorry for the delay). My point was that using the validator will not be possible using appsettings.json. So, if we want to support Azure AD multitenancy, we’ll have to adapt our application code.

Also thank you for the quick reaction!

Top Results From Across the Web

OpenID Connect (OIDC) on the Microsoft identity platform

Sign in Azure AD users by using the Microsoft identity platform's implementation of the OpenID Connect extension to OAuth 2.0.

azure active directory - Hybrid User Identity in MVC Core

Configure<OpenIdConnectOptions>(AzureADDefaults. ... The /common endpoint is not a tenant and is not an issuer, it's just a multiplexer.

Enabling multitenant support in you Azure AD protected ...

When a user is redirected to the common authorization endpoint like this: GET https://login.microsoftonline.com/common/oauth2/authorize?

Multitenant Azure AD issuer validation in ASP.NET Core

NET Core application, you need to configure the Azure AD app as ... in the token won't match the issuer specified in the...

Setting Up AzureAD Multi-tenant Authentication With ASP NET ...

This is the easy part. Create an app registration from the Azure portal and turn on the multi-tenant switch. You can find it...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

SecurityTokenInvalidIssuerException with OpenID Connect and the Azure AD "common" endpoint

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

[Feature Request] Improving Microsoft.IdentityModel Observability

Conflict with Microsoft.IdentityModel.Tokens.CollectionUtilities.IsNullOrEmpty extension