From a14ac3d3bed4e8a57b3e032d8a5c70ff546e905f Mon Sep 17 00:00:00 2001 From: Sal Scotto Date: Tue, 29 Oct 2024 08:26:35 -0600 Subject: [PATCH] Update entra_id.rb Add support, for on premsis ADFS where teh tenat id has to be set as ADFS, in which case we shouldnt try to verify as we are not in multi tenant mode. --- lib/omniauth/strategies/entra_id.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/omniauth/strategies/entra_id.rb b/lib/omniauth/strategies/entra_id.rb index 38dd2f0..92d0634 100644 --- a/lib/omniauth/strategies/entra_id.rb +++ b/lib/omniauth/strategies/entra_id.rb @@ -13,7 +13,7 @@ class EntraId < OmniAuth::Strategies::OAuth2 DEFAULT_SCOPE = 'openid profile email' COMMON_TENANT_ID = 'common' - + ADFS_TENANT_ID = 'adfs' # The tenant_provider must return client_id, client_secret and, # optionally, tenant_id and base_url. # @@ -135,9 +135,9 @@ def raw_info # For multi-tenant apps (the 'common' tenant_id) it doesn't make any # sense to verify the token issuer, because the value of 'iss' in the - # token depends on the 'tid' in the token itself. + # token depends on the 'tid' in the token itself. We should also skip for ADFS local instance, as we dont put a valid tenant id in its place, but adfs instead # - issuer = if options.tenant_id.nil? || options.tenant_id == COMMON_TENANT_ID + issuer = if options.tenant_id.nil? || options.tenant_id == COMMON_TENANT_ID || options.tenant_id == ADFS_TENANT_ID nil else "#{options.base_url || BASE_URL}/#{options.tenant_id}/v2.0"