I've got mod_auth_openidc working with Google and a hand rolled version of phpOIDC as my OP with the mod_auth_openidc as my identity provider.
My problem appears to be a bug in the Microsoft implementation.
mod_auth_openidc is a great mod and does quite a log of validation.
One of the things that is returned in a JWT is the "aud" parameter which is the audience.
According to the Open ID Connect spec:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
My client id is 00000001234 (not my real ID, just an example).
I make it through the handshake and everything is groovy, I get my nonce "code" from Windows Live, then I exchange it for my token, but the token I get back has an "aud" value of:
00000000-0000-0000-0000-00000001234
mod_auth_openidc correctly checks the "aud" value in the returned token and responds with an error as the "aud" does not match the configured cliend_id, which is should, according to the spec.
My question is, other than not validating the audience of the token, is there any way to configure the app, in the MS Developer console so that it returns the client ID correctly for the "aud" value in the returned token?
Sans that, where is the best place to report such bug in their implementation?
client_id
? Myclient_id
looks like: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx". It authenticates against Azure AD, which sends it through to LIve ID, so not so much directly against LiveID. Perhaps that's different for you? – Hans Z.