search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.35k stars 2.37k forks source link

Multi-tenant Microsoft Entra ID authentication not working #14802

Closed gvkries closed 5 months ago

gvkries commented 9 months ago

Describe the bug

When using Microsoft Entra ID (AzureAD) authentication with multi-tenancy (i.e. no tenant ID is specified, "common" or "organizations" is used instead), token validation fails during login:

IDX10205: Issuer validation failed because the actual issuer didn't match the valid issuer(s). Issuer: 'System.String (value removed)'. Did not match: validationParameters.ValidIssuer: 'System.String (value removed)' or validationParameters.ValidIssuers: 'System.String (value removed)'

The Orchard documentation explicitly states multi-tenant accounts as supported.

To Reproduce

Steps to reproduce the behavior:

  1. Create an Azure App registration with Supported account types set to Accounts in any organizational directory.
  2. Configure Microsoft Entra ID authentication in Orchard with the application ID only. Set the tenant ID to common instead of the actual tenant.
  3. Try to login by using Microsoft Entra ID.

Expected behavior

Login should work out of the box.

This can easily be fixed by using the AadIssuerValidator that comes with Microsoft.Identity (see https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/ValidatingTokens#dx10205-issuer-validation-failed).

options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(options.Authority, options.Backchannel).Validate;

Additionally, this would allow to use any other Microsoft accounts (e.g. personal Microsoft accounts, Skype, XBox).

Piedone commented 5 months ago

Very nicely detailed but report!