Issues with Microsoft Entra integration

[Plactom]

Hi!

According to this part of Microsoft Entra documentation, the .well-known document is an variable URL that we need to set the {tenant} as one of the following options:

I'm using 'common' option and the problem is that in the document (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration), the "Issuer" key has a {tenantid} in the url.

and when i call the discover method like this: discovery = OpenIDConnect::Discovery::Provider::Config.discover!('https://login.microsoftonline.com/common/v2.0') 2 errors occur:

• Issuer mismatch
• Issuer is not a valid URL

The first one i solved it with OpenIDConnect.validate_discovery_issuer = false, the second i cannot solve because is a validation that i can't skip. https://github.com/nov/openid_connect/blob/e1eb8ea962af43752b1aed2c1063a3e24f96c5bc/lib/openid_connect/discovery/provider/config/response.rb#L60

I commented the line above to continue the authentication flow and check if these were the only problems and the discover! method ran without any other problems, but the id_token.verify! fails and gives a 'Invalid ID token: Issuer does not match' error, because the id_token returned by Microsoft has a iss: 'https://login.microsoftonline.com/9040d.../v2.0' and the discovery.issuer is 'https://login.microsoftonline.com/{tenantid}/v2.0 '

There is something that we can do to resolve the compatibility with Microsoft Entra?

Thanks!

PS: The problem does not occur with specific Microsoft Entra tenant, the problem occurs when i use the 'common' option.

[bufferoverflow]

The issuer check must be made optional or pass the issuer received from the token.