Support for domain_hint in upstream parameters for OIDC

[jonny-puma]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

nostalgic-agnesi-otu9x8e3js

Describe your problem

When logging in with OIDC with Microsoft you can supply a query param called login_hint to select which Azure organization you are logging into. External B2B users in Azure only live in the organzation they are invited to. So if userB from companyB is a guest in companyA, domain_hint needs to be set to login_hint=companyA.com for userB's guest user to be found. This is especially important if the user is memeber of multiple organizations to make sure the correct one is used.

https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc

Describe your ideal solution

Add a field in upstream_parameters called domain_hint adding domain hint as a query parameter in the oidc login request.

Workarounds or alternatives

Add the azure organization as a generic oidc provider in ory. We do however prefer to keep all Microsoft OIDC customers in the Microsoft OIDC provider regardless of org. for simplicity.

Version

@ory/kratos-client: ^0.13.1

Additional Context

No response

[aeneasr]

Hi there, please use the newest version of @ory/client when working with Ory Network :) It should have the parameters you're missing!

[jonny-puma]

Already implemented, my bad

[jonny-puma]

I updated the client and tested again. hd, prompt, and login_hint is passed as query parameters, but not domain_hint. Docs does not list domain_hint as supported parameters. Is it maybe reserved because of the organization field in oidc credentials?