Support for tokens issued by OIDC v2.0 of the Azure AD

Question

Support for tokens issued by OIDC v2.0 of the Azure AD

Opened this issue 7 months ago · 2 comments

Azure AD supports two versions of the OIDC. v2.0 has been available since 2019 and, in general, recommended by MS. Both versions are still supported.
The problem is that this library only supports v1.0. I do not know all the details, but from a validation perspective, the only difference is where to get the well_known config.
For v1.0 it's https://login.microsoftonline.com/{{tenant}}/.well-known/openid-configuration
Where for the v2.0 it's https://login.microsoftonline.com/{{tenant}}/v2.0/.well-known/openid-configuration

It would look like the public certificates did not change, but there are differences in the issuers:

v1.0 - https://sts.windows.net/{{tenant}}/
v2.0 - https://login.microsoftonline.com/{{tenant}}/v2.0

Hence, validation of the token would fail if the token is issued by the OIDC v2.0.

I've prepared the change if you are interested, but cannot push the branch.

Answer 1 · 2024-05-23T02:55:52.000Z

Hi @miroag ,

I'm experiencing the same problem you described regarding Azure AD's OIDC versions. Could you please share the solution you prepared? It would be really helpful.

Thanks in advance!

Answer 2 · 2024-05-23T07:13:11.000Z

Hi @siunhanvjp
In the end, I used another library that was better suited to my needs. Anyway, I found the code I did back then and opened the PR linked above.