AzureAD .well-known config is partially invalid, making OAuth2 registration with the "common" or "organizations" endpoints impossible

[GlitterHorn]

• Gitea version (or commit ref): 1.11.6
• Git version: 2.27.0
• Operating system: Arch Linux, kernel 5.6.15-arch1-1
• Database (use [x]):
  • MySQL (MirandaDB)
• Can you reproduce the bug at https://try.gitea.io:
  • Not relevant

Description

A related bug was filed with Azure awhile ago, and I confirmed with that team that this bug is not in the roadmap to be fixed any time soon, because doing so requires considerable engineering effort. That bug is here:
MicrosoftDocs/azure-docs#38427

The TL;DR is that Azure's endpoint doesn't actually return a valid issuer URI in the .well-known response from the endpoint, if you are trying to use either the common or organizations endpoints. When you try to hit either of these, the .well-known response looks like this:

"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"

The correct issuer is in the URL of the .well-known config itself:

https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

Gitea checks the issuer in the .well-known response, and since it doesn't match, it throws an HTTP 500 error after successful authentication.

I think this can be addressed one of two ways:

• Add a warning if the user tries to use either common or organizations with Microsoft's OAuth2 endpoint
• Programmatically fix the issuer URL in the response so Gitea doesn't complain about issuer mismatch

Alternatively, maybe Microsoft can be added as a preconfigured OAuth2 provider. I'm not a Go dev but I can help answer any questions related to Microsoft's implementation.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[zeripath]

So markbates/goth (our underlying multi-authentication source) has a couple of azure backends. In order to integrate this as a new provider we would need an azure AD to test against though.

[GlitterHorn]

I'm happy to help test with my dev AAD tenant.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[GlitterHorn]

Still an issue..