Entra ID unexpected JWT "iss" (issuer) claim value

[jam-fran]

Hi there,

I'm in the process of updating my application to use v6. My login flow works for Google signin, but fails for Microsoft due to a JWT claims mismatch.

The issuer url that Microsoft declares in my discovery url is "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"

However, when I attempt the authorizationCodeGrant, the issuer claim value is the url with the actual tenant ID, e.g. https://login.microsoftonline.com/39jd282-28djh2/v2.0, which throws an error: OperationProcessingError: unexpected JWT "iss" (issuer) claim value.

I'm not too experienced with this flow, so I'm a little stuck on how to approach solving this. Any help would be immensely appreciated. Below is a simplified version of my application code in case it's helpful.

import * as client from 'openid-client'

const createOpenIdConfig = async () => {
  const config = await client.discovery(
    new URL('https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'),
    CLIENT_ID,
    CLIENT_SECRET
  )
  return config
}

const generateAuthUrl = async () => {
  const config = await createOpenIdConfig()
  const codeVerifier = client.randomPKCECodeVerifier()
  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier)
  const url = client.buildAuthorizationUrl(config, {
    redirect_uri: REDIRECT_URI,
    scope: 'openid email profile',
    response_type: 'code',
    response_mode: 'query',
    code_challenge: codeChallenge,
    code_challenge_method: 'S256'
  })
  return { url: url.href, codeVerifier }
}

const getTokens = async (
  code: string,
  codeVerifier: string
) => {
  const config = await createOpenIdConfig()
  const url = new URL(REDIRECT_URI)
  url.searchParams.set('code', code)
  // Error is thrown here
  const tokens = await client.authorizationCodeGrant(config, url, {
      pkceCodeVerifier: codeVerifier
  return tokens
}

[panva]

-new URL('https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration')
+new URL('https://login.microsoftonline.com/organizations/v2.0')

This should help.

[jam-fran]

Thanks so much @panva, this did ultimately solve it. I was going down a rabbit hole and reading about how Microsoft isn't technically openid compliant, so I'm very glad this works!

[panva]

That's all very true. And because users would eat me alive if EntraID multi-tenant endpoints weren't supported I had to take an L and bake in provider-specific handling. I'm not happy about it per se, but at this point I need to accept it.

[jam-fran]

Pretty shocking and frustrating that they aren't compliant. I'm very grateful that you made the effort to include specific handling