Managed to get the user selection with Azure and then I get
RuntimeError POST /auth/azure/callback
Which step of configuration am I missing?
providers: [
azure: [
client_id: “…”,
client_secret: “…”,
nonce: true,
#redirect_uri: “https://localhost:4006/auth/microsoft/callback”,
strategy: Assent.Strategy.AzureAD
]
This is an error in the OpenID validation, which means that the claims that was received doesn’t have the same issuer as the one fetched from the :openid_configuration_uri path. For Azure this URL would be:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
I would check the :tenant_id setting: Assent.Strategy.AzureAD — Assent v0.1.8
It defaults to common when not set.
Yes with tenant configured it works, but I wanted to use it on multitenant.
It’s described here: Convert single-tenant app to multitenant on Microsoft Entra ID - Microsoft identity platform | Microsoft Learn
In short, you have to enable multi-tenancy in your app on Azure, and then update the application code to handle the issuer right:
Therefore, a multi-tenant application can’t validate tokens just by matching the issuer value in the metadata with the
issuervalue in the token. A multi-tenant application needs logic to decide which issuer values are valid and which are not based on the tenant ID portion of the issuer value.
I’m not sure. It feels like this might go against the OpenID specs. I think you might have to hack this.
One way is to pass in :openid_configuration config option in the callback call where the issuer is dynamically set. We should probably discuss this in an issue at GitHub - pow-auth/assent: Multi-provider framework in Elixir
I posted an issue on github. And yes, I have it enabled on Azure. (it works with ueberauth).
Hmm, that lib is using oauth2, instead of OIDC and doesn’t seem like it does any validation of the token. I feel OIDC is the safer choice. I’ll go over this tomorrow, thanks for opening the issue!
© Copyright Elixir Forum | Terms | Privacy & Cookies
