Skip to content

Add OIDC Issuer Validation #865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4gust wants to merge 1 commit into from
Closed

Add OIDC Issuer Validation #865

4gust wants to merge 1 commit into from

Conversation

@4gust
Copy link

@4gust 4gust commented Dec 18, 2025

Add OIDC Issuer Validation for Enhanced Security

Problem

When using OIDC authority URLs, MSAL Python was not validating the issuer claim from the OIDC discovery response. Per the OpenID Connect Discovery specification, the issuer returned in the discovery document should be validated. Without this validation, applications could be vulnerable to accepting tokens from unauthorized identity providers.

Solution

Added issuer validation when initializing an authority with oidc_authority_url:

  1. New TRUSTED_ISSUER_HOSTS constant - A frozenset of well-known Microsoft identity provider hosts:

    • login.microsoftonline.com, login.microsoft.com, login.windows.net, sts.windows.net
    • National clouds: login.chinacloudapi.cn, login.partner.microsoftonline.cn, login.microsoftonline.de, login.microsoftonline.us, login.usgovcloudapi.net, login-us.microsoftonline.com

  2. New _validate_issuer() function - Validates the issuer claim with O(1) lookups:

    • Exact match: Issuer matches the authority URL (normalized for trailing slashes)
    • Trusted host: Issuer is from a well-known Microsoft host
    • Regional pattern: Supports regional variants like westus2.login.microsoft.com

  3. Validation is called only for OIDC authorities - Standard Entra authorities continue to work without additional validation

Files Changed

  • msal/authority.py - Added TRUSTED_ISSUER_HOSTS, _validate_issuer() function, and validation call

Breaking Changes

Applications using oidc_authority parameter will now require the OIDC discovery response to include a valid issuer claim that either:

  • Matches the authority URL exactly, OR
  • Is from a trusted Microsoft identity provider host

@4gust 4gust self-assigned this Dec 18, 2025
@4gust 4gust requested a review from a team as a code owner December 18, 2025 11:35
@4gust 4gust requested review from bgavrilMS and rayluo December 18, 2025 11:35
@Avery-Dunn
Copy link

Avery-Dunn commented Dec 18, 2025

What is the difference between this issuer validation and the one in this older PR? #840

Also, back when we did this validation for the other MSALs we had to consider the special case CIAM custom domains: a customer could set up xyz.something.com as their authority, but behind the scenes it seemed like Entra would still have {tenant}.ciamlogin.com as the issuer.

@4gust
Copy link
Author

4gust commented Dec 18, 2025

@Avery-Dunn I hadn’t noticed that before—thank you for pointing it out.
The difference is only that caused the regional check to fail in this case.
I’ll close this issue and update #840 to also validate region-based checks.

@4gust 4gust closed this Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@rayluo rayluo Awaiting requested review from rayluo

Assignees

@4gust 4gust

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@4gust @Avery-Dunn @bgavrilMS