As reported at https://github.com/jumbojett/OpenID-Connect-PHP/issues/145#issuecomment-498590601, when using the common endpoint for Microsoft login, the issuer URL contains a placeholder for the tenant ID, causing verification of JWT claims to fail. Support for custom issuer validation was added to the library in https://github.com/jumbojett/OpenID-Connect-PHP/pull/166. The extension needs to be updated to use this functionality.
Description
Description
Event Timeline
Comment Actions
Support was added in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/1007473.
To use this functionality, you need to specify an issuer validator in the config. To always return true, you can use:
$wgPluggableAuth_Config['Log in with your Microsoft account'] = [ 'plugin' => 'OpenIDConnect', 'data' => [ 'providerURL' => 'https://login.microsoftonline.com/common/v2.0/', 'clientID' => getenv( 'MICROSOFT_CLIENT_ID' ), 'clientsecret' => getenv( 'MICROSOFT_SECRET' ), 'issuerValidator' => fn( $iss ) => true, ] ];
To perform more rigorous validation, you would provide a boolean function.