Authentication of a multi-tenant Azure API

[lucasvandijck]

I am trying to authenticate my Django API using an access token from Azure. The problem is that my API is multi-tenant, and the provided example only works for single tenant applications. I used to following setting to fix this: AZURE_AD_TENANT_ID = "common"

The problem now is that my JWT token contains the issuer: https://login.microsoftonline.com/<tenant-id-here>/v2.0

However, the module checks this against the issuer: https://login.microsoftonline.com/{tenantid}/v2.0 ({tenantid} is not replaced by anything I think)

How should I fix this issue?

• Ignoring the issuer is unsafe I suppose
• Can I check against a known list of possible tenants
• Can I change the tenant id to check against with the tenant id of the loged in user (also unsafe I guess)?

Upvote & Fund

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[JonasKs]

There's no true multi tenant support in this package, since it was written for ADFS back in the days.

You could override the validate access token function and use your own.
Allowing any tenant, you don't validate the issuer.
If you have a list of tenants to allow, you could provide a list iirc.

PR welcome.

You can see my multi tenant implementation (fastapi-azure-auth use Python-Jose and not pyjwt): https://github.com/Intility/fastapi-azure-auth/blob/main/fastapi_azure_auth/auth.py#L189

[lucasvandijck]

Seems logical, thank you for the help!