ory/kratos

Workarounds for Microsoft Entra non-compliance to the OIDC spec

mpauly-exnaton opened this issue · 3 comments

Preflight checklist

Ory Network Project

No response

Describe your problem

Unfortunately, Microsoft Entra has quite a few edges that render it non-compliant with the OIDC spec, as documented e.g. in this issue.

In most cases that I have read about so far, this manifests in a mismatch between discovery/JWKS URL and issuer URL.
We are also encountering such a case at the moment, where we need to use the discovery URL https://login.microsoftonline.com/<TENANTID>/v2.0/.well-known/openid-configuration?appid=<APPID>. This endpoint leaves all URLs but the JWKS URL untouched and has an issuer https://login.microsoftonline.com/<TENANTID>/v2.0/ (no query param). For the JWKS URL it attaches the app ID, such that that the resulting JWKS URL reads https://login.microsoftonline.com/<TENANTID>/discovery/v2.0/keys?appid=<APPID>. Only the URL with the appid query param will return the correct keys.

Unfortunately, this quirk of the Microsoft implementation has so far prevented us from configuring a working flow in Ory Kratos. While this clearly is less than ideal on Microsoft's side, it would be great if we could find a workaround to make the login work with Ory Kratos.

Describe your ideal solution

Looking at the source code I would see three possible implementations to get to a solution:

  1. skipping discovery, i.e. implementing a generic_manual provider that skips discovery altogether and just allows to manually set all the relevant URLs. Using go-oidc's ProviderConfig this should be relatively straightforward, see this commit.
  2. adding a new generic provider that additionally allows to set a custom JWKS URL, similar to what is going on in the google provider.
  3. adding additional configuration variables to the microsoft provider that allow to alter the discovered JWKS URL after discovery. However, I didn't find a way to do this nicely.

Additionally, one could decouple the issuer and the discovery URL, similar to what was discussed in this issue.

Workarounds or alternatives

As a workaround, I have manually patched the JWKS URL in a custom ory build. This works, but we'd like to find an upstream solution instead.

Version

1.2.0

Additional Context

No response

Can't you instead of using the generic provider use the provider of type microsoft?

We have successfully setup Entra ID as identity provider using that method 🤔

https://www.ory.sh/docs/kratos/social-signin/microsoft

Unfortunately that didn't work for us.

As far as I can tell the problems arise due to the relevant Entra account using a custom signing key for their tokens. As a result of this, the metadata URL/JWKS URL changes. In particular, you need to append the appid as a query parameter.

If you then try to use the generic/microsoft provider both don't work: they'll not add the appid to the metadta/JWKS URL, and as a result try to verify the token with a wrong set of keys.

This is biting us as well.