Add support for the special common/organizations/consumers Azure AD tenants

ntherning · ntherning · commit 7d8518a0dcbe · 2024-04-08T13:35:36.000+02:00
When not targeting a specific Azure AD tenant (specified by a tenant GUID in the discovery document URL) but rather one of the "common", "organizations" or "consumers" multi-tenant aliases (see 1), discovery document parsing and ID token validation require a few extra steps: * The discovery document's "issuer" value contains the special placeholder "{tenantid}". As '{' and '}' are invalid characters in URLs, AppAuth has to URL encode these characters before the issuer URL can be parsed by NSURL in OIDServiceDiscovery.m. * The same "{tenantid}" placeholder needs to be replaced with the actual tenant ID of the authenticated user, from the "tid" claim (see 2) of the ID token, before ID token validation is performed in OIDAuthorizationService.m. 1: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-connect-metadata-document 2: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims
diff --git a/Sources/AppAuthCore/OIDAuthorizationService.m b/Sources/AppAuthCore/OIDAuthorizationService.m
@@ -563,6 +563,16 @@ + (void)performTokenRequest:(OIDTokenRequest *)request
       // OpenID Connect Core Section 3.1.3.7. rule #2
       // Validates that the issuer in the ID Token matches that of the discovery document.
       NSURL *issuer = tokenResponse.request.configuration.issuer;
+      if (issuer && [issuer.path containsString:@"{tenantid}"]) {
+        // The Azure AD discovery document's "issuer" value contains the special placeholder
+        // "{tenantid}". This needs to be replaced with the actual tenant ID of the authenticated
+        // user, from the "tid" claim of the ID token, before validation.
+        NSString *tid = idToken.claims[@"tid"];
+        if (tid) {
+          issuer = [NSURL URLWithString:[NSString stringWithFormat:@"%@://%@%@", issuer.scheme, issuer.host,
+                  [issuer.path stringByReplacingOccurrencesOfString:@"{tenantid}" withString:tid]]];
+        }
+      }
       if (issuer && ![idToken.issuer isEqual:issuer]) {
         NSError *invalidIDToken =
           [OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
diff --git a/Sources/AppAuthCore/OIDServiceDiscovery.m b/Sources/AppAuthCore/OIDServiceDiscovery.m
@@ -106,6 +106,16 @@ - (nullable instancetype)initWithJSONData:(NSData *)serviceDiscoveryJSONData
     return nil;
   }
 
+  NSString *issuer = (NSString *) json[@"issuer"];
+  if (issuer && [issuer containsString:@"{tenantid}"]) {
+    // The Azure AD discovery document's "issuer" value contains the special placeholder
+    // "{tenantid}". '{' and '}' are invalid characters in URLs and have to be URL encoded before
+    // the issuer URL can be parsed by NSURL.
+    NSMutableDictionary *newJson = [NSMutableDictionary dictionaryWithDictionary:json];
+    newJson[@"issuer"] = [issuer stringByReplacingOccurrencesOfString:@"{tenantid}" withString:@"%7Btenantid%7D"];
+    json = newJson;
+  }
+
   return [self initWithDictionary:json error:error];
 }
 
