Endpoint belongs to different authority

Asked 5/6, 2019 at 11:54 Answered 5/7, 2021 at 20:55

Solved azure-authentication identitymodel

trying to use Azure AD as OpenID provider with IdentityModel package

However the problem is that it produces wrong endpoint configuration

var client = new HttpClient();

const string identityUrl = "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/v2.0";
const string restUrl = "https://localhost:44321";

var disco = await client.GetDiscoveryDocumentAsync(identityUrl);
if (disco.IsError)
{
    Console.WriteLine(disco.Error); 
    return;
}

returns error

Endpoint belongs to different authority: https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/authorize

openid-configuration output is

{"authorization_endpoint":"https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/authorize",
"token_endpoint":"https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/token" ... }

oauth2 is added between the tenatID and version. I suppose this is why openid metadata validation fails.

Is it possible to configure AzureAD to return correct metadata for the openid-configuration ?

Regards

Helianthus answered 5/6, 2019 at 11:54 Comment(1)

there is special test DiscoveryPolicyTests.Endpoints_not_beneath_authority_must_be_allowed_if_whitelisted in the IdentityModel source code. Seems that this check is done by purpose. However this can be turned off using policy.ValidateEndpoints = false. But I have serious doubts that turning endpoint checks is a good idea. – Helianthus 13/6, 2019 at 7:38

could you find a solution for this? The only way I could figure out (far to be the optimal solution) is to add the endpoints to a list of additional endpoint base addresses. Otherwise you have to set the validations to false as stated in the comments above.

var client = httpClientFactory.CreateClient();
       var disco = await client.GetDiscoveryDocumentAsync(
            new DiscoveryDocumentRequest
            {
                Address = "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/v2.0",
                Policy =
                {
                    ValidateIssuerName = true,
                    ValidateEndpoints = true,
                    AdditionalEndpointBaseAddresses = { "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/token",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/authorize",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/discovery/v2.0/keys",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/devicecode",
                                                        "https://graph.microsoft.com/oidc/userinfo",
                                                        "https://login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/oauth2/v2.0/logout"
                                                      }
                },
            }
        );

Grimalkin answered 31/8, 2020 at 11:43 Comment(3)

well this looks fine - at least it will validate the endpoints properly. However additional configuration changes should be made to store alternative endpoints paths in the config file – Helianthus 31/8, 2020 at 13:16

This seems to be working fine. Another new endpoint that you should use is kerberos: login.microsoftonline.com/00edae13-e792-4bc1-92ef-92a02ec1d939/… – Natika 28/6, 2021 at 8:17

will this solution work for multi tenancy login? – Oxidate 26/5, 2022 at 13:24

If you take a look at the code inside IdentityModel repository, you can see that the default validation of the endpoints validates them by doing a "starts with" method. https://github.com/IdentityModel/IdentityModel/blob/1db21e2677de6896bc11227c70b927c502e20898/src/Client/StringComparisonAuthorityValidationStrategy.cs#L46

Then the only two required AdditionalEndpointBaseAddresses inside the DiscoveryDocumentRequest Policy field you need to add are "https://login.microsoftonline.com/<guid>" and "https://graph.microsoft.com/oidc/userinfo".

Olio answered 5/7, 2021 at 20:55 Comment(0)

I had the same problem as well and when i upgraded IdentityModel to version 2.16.1 the problem was solved

Nutlet answered 3/2, 2021 at 18:31 Comment(0)

Azure AD seems to need Additional Endpoints configuration as @flacid-snake suggested. Setting validate endpoints to False is a security threat and should be avoided.

The best way is to make it configurable, preferable in the UI when you configure the SSO server. Endpoints can change and they should be easy to change. It will also make it easier if you later decide to support Okta or other providers and they require additional endpoints.

As of June 2021 you also need to include Kerberos endpoint like: https://login.microsoftonline.com/888861fc-dd99-4521-a00f-ad8888e9ecc8bfgh/kerberos (replace with your directory tenant id).

Natika answered 28/6, 2021 at 8:22 Comment(0)

Recommended topics

Hot tags