question

FarazSiddiqui-5277 avatar image
0 Votes"
FarazSiddiqui-5277 asked ·

Azure AD OIDC token issues

Hi,

We've been using OIDC tokens with our application behind AWS ALB, and its been working fine until last week. Looks like UserInfo endpoint not returning everything AWS ALB is expecting as per OIDC protocol specs? MSFT has been advising to use /me endpoint but it doesn't return sub.

We've tried putting right scope (openid, email, profile) and manifest in Azure AD application but no luck. Any idea if there's anything change when it comes to UserInfo endpoint?

Thanks

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

Hello, there are no configurations that can be made for the userinfo and me endpoint currently. If you'd like these features to be implemented please submit feedback here : https://feedback.azure.com/forums/169401-azure-active-directory and if there's enough community support the product team will look into it and put it on the roadmap.

If you're having issues getting AWS ALB and AAD Auth working properly, I suggest filing a support ticket with Amazon to try to get further traction, as there is nothing that can be done to change what is returned from the userinfo/me endpoints currently.

It sounds like there's an issue with the AWS ALB OIDC configuration, I suggest trying to see if Amazon can relax the rules for sub. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FarazSiddiqui-5277 avatar image
0 Votes"
FarazSiddiqui-5277 answered ·

Hi,

Thanks for the quick reply, the solution has been working for more than a year, so there's no new feature required here.

Something has changed last week either from MS or AWS side but unfortunately both aint got a clue, what it is that has caused this. We've engaged both MS and AWS in professional capacity but no resolution so far both blaming each other.

We're going to remove ALB authentication and do our own auth as our site is down for last 7 days because of this.

If you google you'll find tons of questions/issues people have raised on this issue.

Thanks for your help though.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.