Windows Live Open ID Connect/Oauth 2.0 How to use for SSO with Apache mod_auth_openidc -


i've got mod_auth_openidc working google , hand rolled version of phpoidc op mod_auth_openidc identity provider.

my problem appears bug in microsoft implementation.

mod_auth_openidc great mod , quite log of validation.

one of things returned in jwt "aud" parameter audience.

according open id connect spec:

aud required. audience(s) id token intended for. must contain oauth 2.0 client_id of relying party audience value. may contain identifiers other audiences. in general case, aud value array of case sensitive strings. in common special case when there 1 audience, aud value may single case sensitive string.

my client id 00000001234 (not real id, example).

i make through handshake , groovy, nonce "code" windows live, exchange token, token has "aud" value of:

00000000-0000-0000-0000-00000001234

mod_auth_openidc correctly checks "aud" value in returned token , responds error "aud" not match configured cliend_id, should, according spec.

my question is, other not validating audience of token, there way configure app, in ms developer console returns client id correctly "aud" value in returned token?

sans that, best place report such bug in implementation?

actually in docs login.live.com says ms live openid connect compliant. mention has built own sso protocol on top of oauth 2.0.

it seems you've found out by-trial-and-error ms live supports important pieces of openid connect (discovery document on well-known location, jwks uri, openid scope etc.), news me in itself. unfortunately seems 1 tiny thing still missing... that's reason not announcing openid connect support ms live id yet.

ms's openid connect implementation in azure ad is compliant already, live id not yet. guess can bug ms.


Comments

Popular posts from this blog

python - How to create jsonb index using GIN on SQLAlchemy? -

PHP DOM loadHTML() method unusual warning -

c# - TransactionScope not rolling back although no complete() is called -