Skip to content

fix: Ensure Microsoft attribute scope is not instantiated with a tenant ID during certification#3649

Merged
aterga merged 3 commits intomainfrom
arshvair/fix-ms-openid-attribute-scope
Mar 6, 2026
Merged

fix: Ensure Microsoft attribute scope is not instantiated with a tenant ID during certification#3649
aterga merged 3 commits intomainfrom
arshvair/fix-ms-openid-attribute-scope

Conversation

@aterga
Copy link
Contributor

@aterga aterga commented Mar 5, 2026
edited
Loading

Motivation

Microsoft's OpenID issuer ID contains a {tid} placeholder that can have multiple instantiations.

Since OpenID attributes scopes are literal OpenID issuer IDs, this whole is also expected to be part of the scope.

But the II backend interpolated {tid} with the actual tenant ID from the user's credentials. Thus, matching requested OpenID attributed over OpenID attributes available for a given user should be done using the proper (non-interpolated) OpenID issuer ID.

Changes

  • Use non-interpolated OpenID issuer ID while matching OpenID attribute scopes.

Tests

  • Regression tests

@aterga aterga requested a review from Copilot March 5, 2026 16:43
@aterga aterga marked this pull request as ready for review March 5, 2026 16:43
@aterga aterga requested a review from sea-snake March 5, 2026 16:49
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@aterga aterga requested a review from Copilot March 6, 2026 10:01
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/internet_identity/src/attributes.rs
issuer: openid_credential.iss.clone(),
});
// It is important here to rely on the issuer ID as opposed to `openid_credential.iss`
// becasue, e.g., for Microsoft accounts, the issuer has a tenant ID parameter
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in comment: "becasue" should be "because".

Suggested change
// becasue, e.g., for Microsoft accounts, the issuer has a tenant ID parameter
// because, e.g., for Microsoft accounts, the issuer has a tenant ID parameter

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@aterga aterga Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will fix this in a follow-up PR

sea-snake
sea-snake approved these changes Mar 6, 2026
View reviewed changes
Copy link
Contributor

@sea-snake sea-snake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, see Copilot nits.

@aterga aterga added this pull request to the merge queue Mar 6, 2026
Merged via the queue into main with commit de48668 Mar 6, 2026
64 checks passed
@aterga aterga deleted the arshvair/fix-ms-openid-attribute-scope branch March 6, 2026 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sea-snake sea-snake sea-snake approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aterga @sea-snake