Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AzureAD .well-known config is partially invalid, making OAuth2 registration with the "common" or "organizations" endpoints impossible #12073

Closed
2 tasks done
GlitterHorn opened this issue Jun 27, 2020 · 5 comments · Fixed by #16544

Comments

@GlitterHorn
Copy link

GlitterHorn commented Jun 27, 2020

  • Gitea version (or commit ref): 1.11.6
  • Git version: 2.27.0
  • Operating system: Arch Linux, kernel 5.6.15-arch1-1
  • Database (use [x]):
    • MySQL (MirandaDB)
  • Can you reproduce the bug at https://try.gitea.io:
    • Not relevant

Description

A related bug was filed with Azure awhile ago, and I confirmed with that team that this bug is not in the roadmap to be fixed any time soon, because doing so requires considerable engineering effort. That bug is here:
https://github.com/MicrosoftDocs/azure-docs/issues/38427

The TL;DR is that Azure's endpoint doesn't actually return a valid issuer URI in the .well-known response from the endpoint, if you are trying to use either the common or organizations endpoints. When you try to hit either of these, the .well-known response looks like this:

"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"

The correct issuer is in the URL of the .well-known config itself:

https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

Gitea checks the issuer in the .well-known response, and since it doesn't match, it throws an HTTP 500 error after successful authentication.

I think this can be addressed one of two ways:

  • Add a warning if the user tries to use either common or organizations with Microsoft's OAuth2 endpoint
  • Programmatically fix the issuer URL in the response so Gitea doesn't complain about issuer mismatch

Alternatively, maybe Microsoft can be added as a preconfigured OAuth2 provider. I'm not a Go dev but I can help answer any questions related to Microsoft's implementation.

@GlitterHorn GlitterHorn changed the title AzureAD well-known config is partially invalid, making OAuth2 registration with the "common" or "organizations" endpoints impossible AzureAD .well-known config is partially invalid, making OAuth2 registration with the "common" or "organizations" endpoints impossible Jun 27, 2020
@stale
Copy link

stale bot commented Aug 27, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale stale bot added the issue/stale label Aug 27, 2020
@zeripath
Copy link
Contributor

So markbates/goth (our underlying multi-authentication source) has a couple of azure backends. In order to integrate this as a new provider we would need an azure AD to test against though.

@stale stale bot removed the issue/stale label Aug 28, 2020
@GlitterHorn
Copy link
Author

I'm happy to help test with my dev AAD tenant.

@stale
Copy link

stale bot commented Nov 9, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale stale bot added the issue/stale label Nov 9, 2020
@GlitterHorn
Copy link
Author

Still an issue..

@stale stale bot removed the issue/stale label Nov 19, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants