Comments (4)
PesalaPavan
commented on June 30, 2024
1
@govindr-cm
Thanks for your feedback! We will investigate and update as appropriate.
from entra-docs.
govindr-cm
commented on June 30, 2024
Thank you! Let me know if anything is unclear and you'd like me to elaborate.
from entra-docs.
AjayBathini-MSFT
commented on June 30, 2024
@govindr-cm
Thank you for your feedback!
Since this issue isn't directly related to improving our docs, and to gain a better understanding of your issue, I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.
[Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows.
[Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1)
Thank you for your time and patience throughout this issue.
from entra-docs.
govindr-cm
commented on June 30, 2024
Hi Ajay,
The security question itself is not docs related, but the broader question at the bottom is. I'll state it again here:
Could we have a single page with all differences from usual OIDC implementations and recommendations for handling these, and why the resulting flow is secure?
Here is an example of something that I don't see listed in the documentation. The OIDC says that the issuer in the token must match the issuer used to get the token (https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier). This does not hold for Microsoft's OIDC (MicrosoftDocs/azure-docs#38427 (comment)).
This difference is implicitly mentioned here where the issuer claim is mentioned: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference, but there is no argument about the security of this. But since verifying the issuer is explicitly mentioned in the OIDC spec, the deviation of this deserves a mention - what should the verifier do and why is it secure? I don't see this on this page.
Edit: Upon rereading page mentions that the verifier should restrict the tenant if applicable, which is a concrete recommendation. It would be nice if security of this for "common", "organizations" etc. was also mentioned, and further if it was on a single page.
The reason this is a problem is even though security of checking the tenanted URL may be obvious in isolation, is that in combination with other deviations from the spec there could be security holes - like the one I am worried about.
from entra-docs.
Related Issues (20)
- new auth providers may no longer be created HOT 5
- I have some issue relate one user one domain one business HOT 3
- Typo HOT 1
- Feature Comparison Incorrect HOT 1
- Known limitations text is unclear HOT 2
- SAML Configuration for multiple AWS Identifiers HOT 5
- Broken Links to downloads HOT 3
- Microsoft Entra Connect Sync returns a 404 error HOT 4
- spelling error - "inforamtion" HOT 3
- typo "authoruty" HOT 3
- Dynamic membership rules documentation error: Property 'objectid' cannot be applied to object 'Group' HOT 3
- Simulate Workload Identities Risk Learning Period HOT 2
- Inconsistent IDs in Example 7 of "Assign custom admin roles using the Microsoft Graph API in Microsoft Entra ID" Document HOT 4
- Inconsistent statement for SAML/WS-Fed identity provider configuration of required claims HOT 2
- previousDayDateTime24hrs included example but not explained HOT 5
- AppID is ambiguous on External ID Custom Authentication Extension instructions HOT 1
- Possibly incorrect description for AADSTS50074 on "Microsoft Entra authentication and authorization error codes" page HOT 4
- Update Segment docs to add flag to the Tenant URL HOT 3
- Invalid JSON examples HOT 1
- Entra Permissions Management Region Availability HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from entra-docs.