feat: azure oidc fix (#1349)

Allows the use of Azure ID tokens with various Azure issuers, and defaults to the common issuer.
supabase · Dec 17, 2023 · 97b3595 · 97b3595
1 parent 757989c
commit 97b3595
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/internal/api/provider/azure.go b/internal/api/provider/azure.go
@@ -90,7 +90,7 @@ func (g azureProvider) GetOAuthToken(code string) (*oauth2.Token, error) {
 	return g.Exchange(context.Background(), code)
 }
 
-func (g azureProvider) detectIDTokenIssuer(ctx context.Context, idToken string) (string, error) {
+func DetectAzureIDTokenIssuer(ctx context.Context, idToken string) (string, error) {
 	var payload struct {
 		Issuer string `json:"iss"`
 	}
@@ -116,7 +116,7 @@ func (g azureProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*Use
 	idToken := tok.Extra("id_token")
 
 	if idToken != nil {
-		issuer, err := g.detectIDTokenIssuer(ctx, idToken.(string))
+		issuer, err := DetectAzureIDTokenIssuer(ctx, idToken.(string))
 		if err != nil {
 			return nil, err
 		}

diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
@@ -50,10 +50,17 @@ func (p *IdTokenGrantParams) getProvider(ctx context.Context, config *conf.Globa
 		issuer = provider.IssuerGoogle
 		acceptableClientIDs = append(acceptableClientIDs, config.External.Google.ClientID...)
 
-	case p.Provider == "azure" || p.Issuer == provider.IssuerAzureCommon || p.Issuer == provider.IssuerAzureOrganizations:
+	case p.Provider == "azure" || provider.IsAzureIssuer(p.Issuer):
+		issuer = p.Issuer
+		if issuer == "" || !provider.IsAzureIssuer(issuer) {
+			detectedIssuer, err := provider.DetectAzureIDTokenIssuer(ctx, p.IdToken)
+			if err != nil {
+				return nil, nil, "", nil, badRequestError("Unable to detect issuer in ID token for Azure provider").WithInternalError(err)
+			}
+			issuer = detectedIssuer
+		}
 		cfg = &config.External.Azure
 		providerType = "azure"
-		issuer = p.Issuer
 		acceptableClientIDs = append(acceptableClientIDs, config.External.Azure.ClientID...)
 
 	case p.Provider == "facebook" || p.Issuer == provider.IssuerFacebook:

diff --git a/openapi.yaml b/openapi.yaml
@@ -119,10 +119,14 @@ paths:
                   enum:
                     - google
                     - apple
+                    - azure
+                    - facebook
+                    - keycloak
                 client_id:
                   type: string
                 issuer:
                   type: string
+                  description: If `provider` is `azure` then you can specify any Azure OIDC issuer string here, which will be used for verification.
                 gotrue_meta_security:
                   $ref: "#/components/schemas/GoTrueMetaSecurity"
                 auth_code: