Page MenuHomePhabricator

Support custom issuer validator
Closed, ResolvedPublic


As reported at, when using the common endpoint for Microsoft login, the issuer URL contains a placeholder for the tenant ID, causing verification of JWT claims to fail. Support for custom issuer validation was added to the library in The extension needs to be updated to use this functionality.

Event Timeline

Support was added in

To use this functionality, you need to specify an issuer validator in the config. To always return true, you can use:

$wgPluggableAuth_Config['Log in with your Microsoft account'] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => '',
        'clientID' => getenv( 'MICROSOFT_CLIENT_ID' ),
        'clientsecret' => getenv( 'MICROSOFT_SECRET' ),
        'issuerValidator' => fn( $iss ) => true,

To perform more rigorous validation, you would provide a boolean function.

cicalese claimed this task.