Page MenuHomePhabricator
Create Task
Maniphest T360249

Support custom issuer validator
Closed, ResolvedPublic
Actions

Description

As reported at https://github.com/jumbojett/OpenID-Connect-PHP/issues/145#issuecomment-498590601, when using the common endpoint for Microsoft login, the issuer URL contains a placeholder for the tenant ID, causing verification of JWT claims to fail. Support for custom issuer validation was added to the library in https://github.com/jumbojett/OpenID-Connect-PHP/pull/166. The extension needs to be updated to use this functionality.

Event Timeline

cicalese created this task.Mar 16 2024, 1:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2024, 1:21 PM
cicalese added a comment.Mar 16 2024, 1:25 PM

Support was added in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/1007473.

To use this functionality, you need to specify an issuer validator in the config. To always return true, you can use:

$wgPluggableAuth_Config['Log in with your Microsoft account'] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://login.microsoftonline.com/common/v2.0/',
        'clientID' => getenv( 'MICROSOFT_CLIENT_ID' ),
        'clientsecret' => getenv( 'MICROSOFT_SECRET' ),
        'issuerValidator' => fn( $iss ) => true,
    ]
];

To perform more rigorous validation, you would provide a boolean function.

cicalese closed this task as Resolved.Mar 16 2024, 1:25 PM
cicalese claimed this task.
cicalese moved this task from In Progress to Closed on the MediaWiki-extensions-OpenID-Connect board.Jan 10 2025, 8:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits