Document how to configure OIDC with Microsoft Entra ID custom keys (!166372) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-oidc-microsoft-entra-docs into master Sep 17, 2024

What does this MR do and why?

When configuring OpenID Connect with Microsoft Entra ID, one customer had difficulty getting this to work because of the error:

Authentication failure! JSON::JWK::Set::KidNotFound

This occurred because the authorization failed to validate because the id_token was signed with a key not listed in the default JWKS URI provided by the OpenID Connect Discovery endpoint.

https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-tokens discusses this in more detail:

If the application has custom signing keys as a result of using the claims-mapping feature, append an appid query parameter that contains the application ID. For validation, use jwks_uri that points to the signing key information of the application. For example: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=00001111-aaaa-2222-bbbb-3333cccc4444 contains a jwks_uri of https://login.microsoftonline.com/{tenant}/discovery/keys?appid=00001111-aaaa-2222-bbbb-3333cccc4444.

ZD: https://gitlab.zendesk.com/agent/tickets/565675

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Sep 17, 2024 by Stan Hu

Document how to configure OIDC with Microsoft Entra ID custom keys

What does this MR do and why?

MR acceptance checklist

Merge request reports