search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Tenant 'organizations' not found #175

Closed bcallaghan-fri closed 5 years ago

bcallaghan-fri commented 5 years ago

Describe the bug

Attempting to use the authority https://login.microsoftonline.com/organizations results in the following error.

OPError: invalid_tenant (AADSTS90002: Tenant 'organizations' not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.
Trace ID: 300590d6-2a8e-4c83-9f3f-db557c283800
Correlation ID: a93061b7-384f-4bb9-ab75-78d12cb062ff
Timestamp: 2019-07-12 05:23:38Z)
    at processResponse (C:/Users/.../node_modules/openid-client/lib/helpers/process_response.js:39:13)
    at C:/Users/.../node_modules//openid-client/lib/issuer.js:241:20
    at async C:/Users/.../node_modules/p-some/index.js:82:19
    OPError: expected 200 OK, got: 404 Not Found
    at processResponse (C:/Users/.../node_modules/openid-client/lib/helpers/process_response.js:42:11)
    at C:/Users/.../node_modules/openid-client/lib/issuer.js:241:20
    at async C:/Users/.../node_modules/p-some/index.js:82:19

Changing the authority to https://login.microsoftonline.com/common fixes the issue. Both authorities work with MSAL.js.

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

const issuer = await Issuer.discover('https://login.microsoftonline.com/organizations');
this.client = new issuer.Client({
    client_id: '<my-client-id>',
    redirect_uris: ['https://login.microsoftonline.com/common/oauth2/nativeclient']
});

Expected behaviour The "organizations" tenant should be usable as documented at MSDN.

Environment:

panva commented 5 years ago

https://login.microsoftonline.com/organizations is 100% invalid and the error you're getting comes from microsoft, echoed by this library.

https://login.microsoftonline.com/organizations/v2.0 works but will likely need a patch similar to common to allow the Azure AD multi-tenancy issuer validation relaxed.

panva commented 5 years ago

https://login.microsoftonline.com/common is also the old azure issuer, you want to be using https://login.microsoftonline.com/common/v2.0.

bcallaghan-fri commented 5 years ago

Thanks for the fast response. Adding /v2.0 to the end of the authority fixed the problem.