Open whossname opened 6 years ago
swelham
commented
5 years ago Hi @whossname.
Can you provide a link to the docs regarding this please? I built this primarily for authenticating with the MS graph API and I'm a little out of touch with the Azure AD stuff.
p.s. sorry for the late response, somehow I completely missed your question.
whossname
commented
5 years ago Hey @swelham
So I'm mostly talking about the Azure Active Directory implementation of openid. It has been a while since I worked on this, but I am planning on doing some work for it over the weekend, so I will get back to you when I have a better understanding.
I think this is a good place to start for the Microsoft side of things: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
Then there is the validation piece that I am talking about: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Then the openid idtoken validation specification: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
As you can see in the last link the id_token should be validated for at least:
Additionally I think the following are a good idea:
My repo is here (still a work in progress): https://github.com/whossname/ueberauth_azure_ad
In this file: https://github.com/whossname/ueberauth_azure_ad/blob/master/lib/ueberauth/azure_ad/verify.ex
I verify the above, plus the c_hash.
I have been implementing my own ueberauth strategy for Azure Active Directory and only noticed this one as it was nearing completion. I have had a quick look at your code and can't see the callback validations? I would expect there to at least be a check for the nonce. The openid specification expects validations for the following:
Are you using a protocol that doesn't need these validations? Or are the developers using this library expected to do these validations to allow for more flexibility?