Conversation
david-haraga
commented
Oct 24, 2025
david-haraga
commented
- support for multiple issuers
- support for multiple issuers
| } | ||
|
|
||
| if false && discoveryConfig.Issuer != issuer { | ||
| if !slices.Contains(issuers, discoveryConfig.Issuer) { |
There was a problem hiding this comment.
How it is suppose to work? This check doesn't make sense for me. You do not know tenantid at this stage (for multi-tenant mode). For multi-tenant the issuer is https://login.microsoftonline.com/common/ and the dicoveryConfig.Issuer = https://sts.windows.net/{tenantid}/. The placeholder {tenantid} is not resolved with real tenantid. It will work only if you have string https://sts.windows.net/{tenantid}/ in the slice issuers []string
There was a problem hiding this comment.
Exactly, I have added https://sts.windows.net/{tenantid}/ to the permitted issuer list in config
| if claims.GetIssuer() != issuer { | ||
| return fmt.Errorf("%w: Expected: %s, got: %s", ErrIssuerInvalid, issuer, claims.GetIssuer()) | ||
| func CheckIssuer(claims Claims, issuers []string) error { | ||
| if !slices.Contains(issuers, claims.GetIssuer()) { |
There was a problem hiding this comment.
Here the check makes sense as claims.GetIssuer is the real issuer: https://sts.windows.net/26f2a995-d6fd-4a27-9e38-b8bac98e4ce5/
2 participants
