fix: allow AAD appid including discovery URLs to be multi-tenant

panva · Jul 17, 2020 · c27caab · c27caab
1 parent ca5365e
commit c27caab
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/lib/helpers/consts.js b/lib/helpers/consts.js
@@ -2,12 +2,12 @@ const OIDC_DISCOVERY = '/.well-known/openid-configuration';
 const OAUTH2_DISCOVERY = '/.well-known/oauth-authorization-server';
 const WEBFINGER = '/.well-known/webfinger';
 const REL = 'http://openid.net/specs/connect/1.0/issuer';
-const AAD_MULTITENANT_DISCOVERY = new Set([
+const AAD_MULTITENANT_DISCOVERY = [
   `https://login.microsoftonline.com/common${OIDC_DISCOVERY}`,
   `https://login.microsoftonline.com/common/v2.0${OIDC_DISCOVERY}`,
   `https://login.microsoftonline.com/organizations/v2.0${OIDC_DISCOVERY}`,
   `https://login.microsoftonline.com/consumers/v2.0${OIDC_DISCOVERY}`,
-]);
+];
 
 const CLIENT_DEFAULTS = {
   grant_types: ['authorization_code'],

diff --git a/lib/issuer.js b/lib/issuer.js
@@ -221,7 +221,7 @@ class Issuer {
       return new Issuer({
         ...ISSUER_DEFAULTS,
         ...body,
-        [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.has(uri),
+        [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.find((discoveryURL) => uri.startsWith(discoveryURL)),
       });
     }
 
@@ -248,7 +248,7 @@ class Issuer {
       return new Issuer({
         ...ISSUER_DEFAULTS,
         ...body,
-        [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.has(wellKnownUri),
+        [AAD_MULTITENANT]: AAD_MULTITENANT_DISCOVERY.find((discoveryURL) => wellKnownUri.startsWith(discoveryURL)),
       });
     }));
   }

diff --git a/test/aad/aad.test.js b/test/aad/aad.test.js
@@ -37,6 +37,20 @@ describe('Azure AD multi-tenant applications', () => {
           expect(err.message).to.match(/^JWT expired, now \d+, exp 12345$/);
         });
       });
+
+      it(`changes the "iss" validation when Issuer is discovered with an appid query string (${input})`, async () => {
+        nock('https://login.microsoftonline.com')
+          .get(`/${bucket}/v2.0/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e`)
+          .reply(200, {
+            issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
+          });
+
+        const aad = await Issuer.discover(`${input}?appid=6731de76-14a6-49ae-97bc-6eba6914391e`);
+        const client = new aad.Client({ client_id: 'foo' });
+        return client.validateIdToken(idToken).then(fail).catch((err) => {
+          expect(err.message).to.match(/^JWT expired, now \d+, exp 12345$/);
+        });
+      });
     });
 
     it('no changes to "iss" validation when Issuer is constructed', async () => {