-
-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discovery issues with v6 and Azure AD B2C #718
Comments
Thanks. I'll take a look. I expect the same shenanigans as with the multitenant common endpoints on Entra ID. I lacked reproduction cases, hopefully yours will help |
Sigh... Can you apply this patch (minus the TS bits) locally and let me know what comes next? I assume nothing but I'd like to wait with its release before knowing it is the full extent of necessary spec behaviour bending needed. diff --git a/src/index.ts b/src/index.ts
index 24d1852..89ab459 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1038,6 +1038,17 @@ function handleEntraId(
return false
}
+function handleB2Clogin(server: URL, options?: DiscoveryRequestOptions) {
+ if (
+ server.hostname.endsWith('.b2clogin.com') &&
+ (!options?.algorithm || options.algorithm === 'oidc')
+ ) {
+ return true
+ }
+
+ return false
+}
+
/**
* Performs Authorization Server Metadata discovery and returns a
* {@link Configuration} with the discovered
@@ -1117,6 +1128,7 @@ export async function discovery(
if (resolve && new URL(as.issuer).href !== server.href) {
handleEntraId(server, as, options) ||
+ handleB2Clogin(server, options) ||
(() => {
throw new ClientError(
'discovered metadata issuer does not match the expected issuer', |
Works perfectly 👍 I tested all variations known to me: Testing URL: https://openidclientdemo.b2clogin.com/openidclientdemo.onmicrosoft.com/B2C_1_signupsignin/v2.0
Success: Configuration {}
Testing URL: https://openidclientdemo.b2clogin.com/0e96f835-6e34-470c-800b-2e2c5908c54c/B2C_1_signupsignin/v2.0
Success: Configuration {}
Testing URL: https://openidclientdemo.b2clogin.com/openidclientdemo.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin
Success: Configuration {}
Testing URL: https://openidclientdemo.b2clogin.com/0e96f835-6e34-470c-800b-2e2c5908c54c/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin
Success: Configuration {}
Testing URL: https://openidclientdemo.b2clogin.com/openidclientdemo.onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration
Success: Configuration {}
Testing URL: https://openidclientdemo.b2clogin.com/0e96f835-6e34-470c-800b-2e2c5908c54c/B2C_1_signupsignin/v2.0/.well-known/openid-configuration
Success: Configuration {} btw: The test urls are real b2c urls. You can also use them for testing (I've quickly created an Azure AD B2C tenant for this issue). |
I see, there's even more variation with the policy being in a query string... sigh.
Even subsequent interactions with the server like Authorization Grant, Refresh Token Grant, etc?
Thank you for that, if at all possible please share the client credentials privately (email, twitter DM). |
Yes, I've tested login (auth code grant), refresh and logout (buildEndSessionUrl).
Sure! Shared them via email 👍 |
What happened?
I've had some issues with the discovery function when migrating from v5 to v6.
The discovery failed with the error
discovered metadata issuer does not match the expected issuer
.Example urls that fail (worked previously with v5):
Workaround
Adding
/.well-known/openid-configuration
to the end makes the discovery work:Version
v6.1.1
Runtime
Node.js
Runtime Details
Node v22.8.0
Code to reproduce
Required
The text was updated successfully, but these errors were encountered: