Skip to content

Add OIDC issuer validation#840

Merged
bgavrilMS merged 11 commits intodevfrom
avdunn/issuer-validation
Feb 19, 2026
Merged

Add OIDC issuer validation#840
bgavrilMS merged 11 commits intodevfrom
avdunn/issuer-validation

Conversation

@Avery-Dunn
Copy link
Contributor

@Avery-Dunn Avery-Dunn commented Jul 18, 2025
edited
Loading

Adds new validation according to: https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3268768

The issuer returned by the call to the OIDC endpoint (.well-known/openid-configuration) is valid if one of the following is true:

  • It exactly matches the authority URL
  • It has a known Microsoft host (e.g., login.microsoftonline.com)
  • It has the same scheme and host as the authority (path can be different)
  • For CIAM, the issuer follows the pattern of {tenant}.ciamlogin.com, even when using a custom domain

The validation behavior was added to authority.py, and new tests were added to test_authority.py to cover it

In addition, a few other tests in test_authority.py and test_application.py were given valid issuers in their mocked OIDC discovery responses in order to pass validation, but were otherwise unchanged.

(this is the full implementation of the work started in this draft PR: #830)

@Avery-Dunn Avery-Dunn requested a review from a team as a code owner July 18, 2025 21:32
bgavrilMS
bgavrilMS reviewed Jul 21, 2025
View reviewed changes
@bgavrilMS bgavrilMS requested a review from rayluo July 23, 2025 12:03
rayluo
rayluo suggested changes Jul 23, 2025
View reviewed changes
Copy link
Contributor

@rayluo rayluo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are discussing in this offline conversation on Teams.

@Avery-Dunn Avery-Dunn requested review from bgavrilMS and rayluo July 24, 2025 21:32
bgavrilMS
bgavrilMS reviewed Jul 28, 2025
View reviewed changes
@bgavrilMS bgavrilMS self-requested a review July 30, 2025 17:59
@bgavrilMS
Copy link
Member

bgavrilMS commented Aug 18, 2025

@rayluo - any updates on this?

@Avery-Dunn Avery-Dunn mentioned this pull request Dec 18, 2025
Closed
@Avery-Dunn
Copy link
Contributor Author

Avery-Dunn commented Dec 18, 2025

@rayluo Any updates on this? A while back you had some behaviors you wanted to confirm or edge cases you wanted to test, and @4gust updated this PR to handle validating region-specific endpoints, but I can't remember what was still blocking this.

@bgavrilMS bgavrilMS removed the request for review from rayluo February 18, 2026 11:26
bgavrilMS
bgavrilMS reviewed Feb 18, 2026
View reviewed changes
bgavrilMS
bgavrilMS reviewed Feb 18, 2026
View reviewed changes
bgavrilMS
bgavrilMS reviewed Feb 18, 2026
View reviewed changes
bgavrilMS
bgavrilMS requested changes Feb 18, 2026
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need another rule for regiona.

@bgavrilMS bgavrilMS merged commit d7e0e11 into dev Feb 19, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@4gust 4gust 4gust left review comments

@bgavrilMS bgavrilMS bgavrilMS approved these changes

+1 more reviewer

@rayluo rayluo rayluo requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Avery-Dunn @bgavrilMS @rayluo @4gust

Comments