I get "Invalid issuer" error with pow assent and azure authentication

Managed to get the user selection with Azure and then I get

RuntimeError POST /auth/azure/callback

Invalid issuer "https://login.microsoftonline.com/27… in ID Token

Which step of configuration am I missing?

providers: [
azure: [
client_id: “…”,
client_secret: “…”,
nonce: true,
#redirect_uri:https://localhost:4006/auth/microsoft/callback”,
strategy: Assent.Strategy.AzureAD
]

This is an error in the OpenID validation, which means that the claims that was received doesn’t have the same issuer as the one fetched from the :openid_configuration_uri path. For Azure this URL would be:

https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

I would check the :tenant_id setting: https://hexdocs.pm/assent/0.1.8/Assent.Strategy.AzureAD.html#module-usage

It defaults to common when not set.

Yes with tenant configured it works, but I wanted to use it on multitenant.

It’s described here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-your-code-to-handle-multiple-issuer-values

In short, you have to enable multi-tenancy in your app on Azure, and then update the application code to handle the issuer right:

Therefore, a multi-tenant application can’t validate tokens just by matching the issuer value in the metadata with the issuer value in the token. A multi-tenant application needs logic to decide which issuer values are valid and which are not based on the tenant ID portion of the issuer value.

I’m not sure. It feels like this might go against the OpenID specs. I think you might have to hack this.

One way is to pass in :openid_configuration config option in the callback call where the issuer is dynamically set. We should probably discuss this in an issue at https://github.com/pow-auth/assent

I posted an issue on github. And yes, I have it enabled on Azure. (it works with ueberauth).

Hmm, that lib is using oauth2, instead of OIDC and doesn’t seem like it does any validation of the token. I feel OIDC is the safer choice. I’ll go over this tomorrow, thanks for opening the issue!