Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

access_token_issuer causing issue with on-premise adfs

See original GitHub issue

While implementing on-premise ADFS connections using django-auth-adfs, we keep running into the issue that access tokens are marked as invalid, because of an invalid issuer.

When checking multiple configurations of ADFS this seems to be caused by django-auth-adfs checking the “access_token_issuer” when verifying the issuer, instead of the “issuer” field. While we were able to change the access_token_issuer in one occasion, we’re now running into an issue where changing the access_token_issuer with a different ADFS will break the ADFS server entirely.

As I’ve now encountered the issue on multiple occasions where apparently other software packages don’t have any issues with this ADFS setup where the issuer and access_token_issuer differ. I was wondering if we could change the behavior of django-auth-adfs to always use the “issuer” for both ADFS and AzureAD?

I’ve noticed this commit is the root of the change: https://github.com/snok/django-auth-adfs/commit/e5478af474fa93ca686a94cc8682cfa5478f919a

Which is a very old KB “KB4038801” (September 2017, I hope there are no servers running this version of Windows server 2016).

I’m referring to the config.py, _load_openid_config method:

            self.authorization_endpoint = openid_cfg["authorization_endpoint"]
            self.token_endpoint = openid_cfg["token_endpoint"]
            self.end_session_endpoint = openid_cfg["end_session_endpoint"]
            if settings.TENANT_ID != 'adfs':
                self.issuer = openid_cfg["issuer"]
            else:
                self.issuer = openid_cfg["access_token_issuer"]

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

dVerheescommented, Oct 28, 2021

Your comment about 2 tokens triggered me, and I’ve found an issue on our side. We’ve somewhat extended django-auth-adfs to also use the id_token, because we require the additional information about the user only available in the id_token.

When checking the information about the id_token it shows: iss: https://<adfs-server>/adfs instead of the value in access_token_issuer: https://<adfs-server>/adfs/services/trust

So the issue is that our extension is not properly comparing the issuer for the id_token, as we assume the issuer for the id_token and the access_token to be the same, which is not always the case when using ADFS.

I guess we’re going to have to find another way to handle our ADFS connections.

Thanks for your help and fast response, and sorry for wasting your time.

0reactions

JonasKscommented, Oct 28, 2021

No worries, glad we sorted it out. The ID token will indeed have the issuer as iss, not access_token_issuer.