Windows Live Open ID Connect / Oauth 2.0 How to use for SSO with Apache mod_auth_openidc
I have mod_auth_openidc working from google and a manual version of phpOIDC as my OP with mod_auth_openidc as my identity provider.
My problem seems to be a bug in Microsoft's implementation.
mod_auth_openidc is a great mod and enough verification log.
One of the things returned in the JWT is the "aud" parameter, which is the audience.
According to the Open ID Connect specification:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
My client ID is 00000001234 (not my real ID, just an example).
I do it through a handshake and all groovy, I get my "code" nonce from Windows Live and then I exchange it for a token, but the token I get is "aud":
00000000-0000-0000-0000-00000001234
mod_auth_openidc correctly validates the "aud" value in the returned token and responds with an error because "aud" does not match the configured cliend_id, which it should according to the spec.
My question is not to validate the token audience, is there a way to configure the application in the MS Developer console so that it correctly returns the client id for the "aud" value in the returned token?
Doesn't mean that where is the best place to report this bug in their implementation?
source to share
In fact, nowhere in the docs login.live.com
says MS Live is OpenID Connect compatible. He mentions that he built his own SSO protocol on top of OAuth 2.0.
You seem to have discovered that MS Live supports important OpenID Connect components (known location discovery document, JWKS URI, openid
etc.), which is news to me. But unfortunately, it looks like one tiny thing is still missing ... Perhaps this is also the reason that OpenID Connect support for MS Live ID has not been announced yet.
The MS OpenID Connect implementation in Azure AD is already fully compatible, Live ID has not yet been set. I think all you can do is MS error.
source to share
In MSA, 00000000-0000-0000-0000-00000001234 and 00000001234 are different identifiers for the same application. The new Application Portal (apps.dev.microsoft.com) prefers the 128-bit guid, while the old Application Portal (account.live.com/developers/applications) prefers the older 64-bit identity. Id_token will always contain the new ID.
You can make the client_id request match the token 'aud' requirement using the new id format (i.e. 00000000-0000-0000-0000-00000001234).
The new IDs have been created to match the MSA and AAD IDs.
source to share