Microsoft Login Linking Problem

[tboeker]

Microsoft Login Linking Problem

Description

The User should Login with Microsoft Azure Active Directory/Microsoft Entra ID. So I created an OpenID Identity Provider as described here: https://fusionauth.io/docs/lifecycle/authenticate-users/identity-providers/enterprise/azure-ad-oidc

Because the Azure AD Application is a multi tenant app, i use "common" as TenantId verwendet. I'm using Azure AD V2.

• Issuer: https://login.microsoftonline.com/common/v2.0
• Discovery Document: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Linking strategy:

• Link on email. Create the user if they do not exist.

The Micosoft Access-Token or ID-Token does not contains any claim which contains the E-Mail. So I configured the EntraID Application under "Token Configuration" to add the "upn" Claim (UserPrincipalName) in Access-Token and ID-Token.

That Results in the following Identity Provider Options:

• Unique Id claim: sub
• Email claim: upn
• Username claim: name

We need the query parameter "prompt=select_account" in the authorize endpoint because after FusionAuth Logout the Micorsoft Session is still open and i cannot change the user.

Because of this custom parameter i cannot use the "Discover Endpoints" option and i have to enter the endpoints by hand:

• Authorization endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=select_account
• Token endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/token
• Userinfo endpoint: https://graph.microsoft.com/oidc/userinfo

As the endpoints are entered explicit, the Id-Token cannot by verified and is not used.

Here ist the EventLog (OpenID Connect IdP Response Debug Log for...) entry:

3/1/2024 07:38:11 AM Z No JSON Web Keys are available to attempt to verify the [id_token]. 3/1/2024 07:38:11 AM Z Attempt to verify the [id_token] using the client secret. 3/1/2024 07:38:11 AM Z Unable to verify the [id_token]. A JWT verifier was built using using the [kid] value of [xxx] but the verifier cannot verify token signed using [RS256]. 3/1/2024 07:38:11 AM Z Linking strategy [LinkByEmail] 3/1/2024 07:38:11 AM Z Resolved email to [null]

It seams, that the email (custom upn claim) will be resolved from the Id-Token, and this is not working anymore.

Possible solutions: A Create Identity Provider option to enter the JWKS endpoint. For Example: JWKS endpoint: https://login.microsoftonline.com/common/discovery/v2.0/keys

B Create Identity Provider options to enter Optional Authorization parameter: For Example: Optional Authorization parameters: prompt=select_account

FusionAuth should append these paramters to the authorization endpoint call. The result is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=select_account

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/2189
• https://github.com/FusionAuth/fusionauth-issues/issues/2189
• https://github.com/FusionAuth/fusionauth-issues/issues/2501
• https://github.com/FusionAuth/fusionauth-issues/issues/2505

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[robotdan]

Internal: If we can verify the id_token we can use it to extract claims, and it is available in the reconcile lambda function.

In 1.48.0 via https://github.com/FusionAuth/fusionauth-issues/issues/2501 we expanded our validation strategy to resolving the JWKS endpoint (when the issuer is specified in the config).

In this example, because it doesn't look to be possible to use the discovery using the issuer we are also skipping the JWKS resolution.

So we should probably just also allow the JWKS endpoint to be specified when the user does not specify the issuer and instead manually enters each endpoint. We should also review if we are discovering anything else from the .well-known/openid-configuration endpoint and if so - allow any additional item to be manually specified as well.