Added support for enterprise app sso certificates

[LukeFerris]

When an app is registered as an Azure Enterprise app and SSO is turned on, Azure uses a different set of certificates to sign the resulting issued tokens.

The standard certificates are reached via:
https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration.
However, when SSO is turned on, a different cert is used not present in the above list. Instead you can reach the correct certificate list using:
https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration?appid=CLIENT_ID

As it happens, even if SSO is not turned on, the second of these URL options still returns the correct certificate list.

We bumped into this in a recent deployment and so I offer this addition to enable the package to work in both scenarios.

[codecov]

Codecov Report

Merging #87 into master will not change coverage.
The diff coverage is 100%.

@@           Coverage Diff           @@
##           master      #87   +/-   ##
=======================================
  Coverage   81.81%   81.81%           
=======================================
  Files           6        6           
  Lines         407      407           
=======================================
  Hits          333      333           
  Misses         74       74

Impacted Files	Coverage Δ
django_auth_adfs/config.py	84.46% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7626ca6...1d078e1. Read the comment docs.

[jobec]

Found some refs to it here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#openid-connect-metadata-document

Are you 100% sure it works in a fresh, vanilla Azure AD setup? Because if it doesn't, then sending it always will break existing implementations.

[LukeFerris]

I’ve tested it in two scenarios. 1. My private Azure vanilla instance (directs to the standard Microsoft certs) 2. Our Bain corporate azure instance which is configured with SSO applied (directs to the app specific cert) Both of those work correctly. You can also confirm this just using a browser. For example my private vanilla Azure would end up using this URL: https://login.microsoftonline.com/0579aa85-9e13-4389-a812-79a850b78349/.well-known/openid-configuration?appid=412727a7-b5a6-41b9-a272-278eaae6421d Which returns this as the jwks_uri: https://login.microsoftonline.com/0579aa85-9e13-4389-a812-79a850b78349/discovery/keys?appid=412727a7-b5a6-41b9-a272-278eaae6421d This appears to be a filtered version of the page your code currently ends up referencing: https://login.microsoftonline.com/common/discovery/keys So yes, it does appear to work on a vanilla Azure AD setup as well as our corporate one. I have to admit I’m a little scared there might be other settings/stuff in here that this change might effect – but from the test setup that I have it works fine. I actually have an open support ticket with Azure support on this so if you want I can ask them about the above URLs and whether this approach is valid. Let me know what you think. Luke From: Joris Beckers <notifications@github.com> Reply-To: jobec/django-auth-adfs <reply@reply.github.com> Date: Thursday, 31 October 2019 at 15:07 To: jobec/django-auth-adfs <django-auth-adfs@noreply.github.com> Cc: "Ferris, Luke" <Luke.Ferris@Bain.com>, Author <author@noreply.github.com> Subject: Re: [jobec/django-auth-adfs] Added support for enterprise app sso certificates (#87) Found some refs to it here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#openid-connect-metadata-document<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microsoft.com_en-2Dus_azure_active-2Ddirectory_develop_v1-2Dprotocols-2Dopenid-2Dconnect-2Dcode-23openid-2Dconnect-2Dmetadata-2Ddocument&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=Ja_OQfcvEU1F8BdWQhNs7WgINtEysT73Kc8HRfhlros&s=g1aod4bhMGdXjh8qREQZYyJrho0OmXP6oJI35Vse2EI&e=> Are you 100% sure it works in a fresh, vanilla Azure AD setup? Because if it doesn't, then sending it always will break existing implementations. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jobec_django-2Dauth-2Dadfs_pull_87-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAEWQU4N7QHWRSK3UXI5NFTTQRLQ4HA5CNFSM4JHKLQMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECX4U4Q-23issuecomment-2D548391538&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=Ja_OQfcvEU1F8BdWQhNs7WgINtEysT73Kc8HRfhlros&s=b9AQFZYGns9mE9WnvP7NGIruuts6pPpS2PY-0zY1ags&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AEWQU4KI3MKKYR4ECQWQQW3QRLQ4HANCNFSM4JHKLQMA&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=Ja_OQfcvEU1F8BdWQhNs7WgINtEysT73Kc8HRfhlros&s=IYtRxVPvXWPeTNyLuI3oWD7sf7YBJc5xwB4eEz7f484&e=>.

…

________________________________ This e-mail, including any attachments, contains confidential information of Bain & Company, Inc. ("Bain") and/or its clients. It may be read, copied and used only by the intended recipient. Any use by a person other than its intended recipient, or by the recipient but for purposes other than the intended purpose, is strictly prohibited. If you received this e-mail in error, please contact the sender and then destroy this e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of Bain shall be understood to be neither given nor endorsed by Bain. Any personal information sent over e-mail to Bain will be processed in accordance with our Privacy Policy (https://www.bain.com/privacy).

[jobec]

If you can ask that, that would be great.

From your tests I expect it to work, because we don't really need that much from those metadata. But a confirmation would also ease my mind.

[LukeFerris]

Agreed – I’ll let you know. From: Joris Beckers <notifications@github.com> Reply-To: jobec/django-auth-adfs <reply@reply.github.com> Date: Thursday, 31 October 2019 at 15:40 To: jobec/django-auth-adfs <django-auth-adfs@noreply.github.com> Cc: "Ferris, Luke" <Luke.Ferris@Bain.com>, Author <author@noreply.github.com> Subject: Re: [jobec/django-auth-adfs] Added support for enterprise app sso certificates (#87) If you can ask that, that would be great. From your tests I expect it to work, because we don't really need that much from those metadata. But a confirmation would also ease my mind. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jobec_django-2Dauth-2Dadfs_pull_87-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAEWQU4OMQIWY2QMK3LMTQX3QRLU4LA5CNFSM4JHKLQMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECYAR5Y-23issuecomment-2D548407543&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=ksqGAHe-M4fYi97RgiQ7E8-8-pzK6MQbbV4sT-QWYGQ&s=1Jwa-_NCywGkBbIDK6cjfHiVfieixQ7Z0XwkT4v0MyY&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AEWQU4PQT6ATAQF3JO7IB2TQRLU4LANCNFSM4JHKLQMA&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=ksqGAHe-M4fYi97RgiQ7E8-8-pzK6MQbbV4sT-QWYGQ&s=E2e3u9BV8Wm2DXZMLNXt53sO_N-owDeOhERwN5Rktpk&e=>.

…

________________________________ This e-mail, including any attachments, contains confidential information of Bain & Company, Inc. ("Bain") and/or its clients. It may be read, copied and used only by the intended recipient. Any use by a person other than its intended recipient, or by the recipient but for purposes other than the intended purpose, is strictly prohibited. If you received this e-mail in error, please contact the sender and then destroy this e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of Bain shall be understood to be neither given nor endorsed by Bain. Any personal information sent over e-mail to Bain will be processed in accordance with our Privacy Policy (https://www.bain.com/privacy).

[jobec]

Did you perhaps already got a reply on your question towards microsoft?

[LukeFerris]

Hi Joris, Sorry for the slow reply. Just getting a chance to come back to this. Yes! Microsoft support confirmed my understanding that the approach will work correctly and is as per standard. I’ll forward you the response and then maybe you can go ahead and merge? Happy Christmas! Thanks Luke From: Joris Beckers <notifications@github.com<mailto:notifications@github.com>> Date: Tuesday, 12 Nov 2019, 1:17 pm To: jobec/django-auth-adfs <django-auth-adfs@noreply.github.com<mailto:django-auth-adfs@noreply.github.com>> Cc: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>, Author <author@noreply.github.com<mailto:author@noreply.github.com>> Subject: Re: [jobec/django-auth-adfs] Added support for enterprise app sso certificates (#87) Did you perhaps already got a reply on your question towards microsoft? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jobec_django-2Dauth-2Dadfs_pull_87-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAEWQU4KNTD5TZHTAIITW2BTQTKNFXA5CNFSM4JHKLQMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED2B5LY-23issuecomment-2D552869551&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=VYF-EYm769upaKPkjxY04OW5HK5vOP3PY1vdHjzqtt4&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AEWQU4IFI6MNBWS4BETINL3QTKNFXANCNFSM4JHKLQMA&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=DBXgWmzatgO5Y6uT1r6_evgmunnn57p4ycsiIEklYKU&e=>.

…

________________________________ This e-mail, including any attachments, contains confidential information of Bain & Company, Inc. ("Bain") and/or its clients. It may be read, copied and used only by the intended recipient. Any use by a person other than its intended recipient, or by the recipient but for purposes other than the intended purpose, is strictly prohibited. If you received this e-mail in error, please contact the sender and then destroy this e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of Bain shall be understood to be neither given nor endorsed by Bain. Any personal information sent over e-mail to Bain will be processed in accordance with our Privacy Policy (https://www.bain.com/privacy).

[LukeFerris]

Here’s the Microsoft support thread.. From: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Sent: Tuesday, November 5, 2019 2:09 PM To: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>; support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>; Hugill, Paul <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>; Ahmed Mohammed (Accenture) <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: RE: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Sure no problem Luke. Will close this case out on our end. Bac From: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>> Sent: Tuesday, November 5, 2019 1:46 AM To: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>>; support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>; Hugill, Paul <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>; Ahmed Mohammed (Accenture) <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: Re: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Thanks! All good now, let’s go ahead and close the ticket. Many thanks for all your help. Luke From: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Date: Monday, 4 November 2019 at 23:26 To: "Ferris, Luke" <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>, support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>, "Hugill, Paul" <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>, "Ahmed Mohammed (Accenture)" <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: RE: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Hi Luke, Yes. That is a valid openid metadata URL. It’s also documented in the link below: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fdocs.microsoft.com-5Fen-2D2Dus-5Fazure-5Factive-2D2Ddirectory-5Fdevelop-5Fv1-2D2Dprotocols-2D2Dopenid-2D2Dconnect-2D2Dcode-2526d-253DDwMGaQ-2526c-253DYgvAunA6A5zFF9cMHqSY3cSQ3MG-2DauFOlwIB7e1Llto-2526r-253DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18-2526m-253Da6ed84NzDW4b8zWddEIXMOk3iW8dGlPYR4L986I4ols-2526s-253DKlFYDgHK3Opm4YRTmB-5F-2D5FBdTkiF3JKEXsh8xG6Orfw-2526e-253D-26data-3D02-257C01-257Cbachoang-2540microsoft.com-257C9bd63b39f481419f9f8d08d761c44482-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637085367927516396-26sdata-3D4BxTTcHsfnuP2pMT3wClkrx8Oe4WO-252F8E1-252B-252BIjsXjXk8-253D-26reserved-3D0&d=DwMGaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=RqcBusajZRBhbBc4ZwLAVcDPQOdh2RdUUrkhk18NZ44&m=NpWHGnRcZyybg4mQ7KQkx6o_wLJAckiGgE2tL-pR6u4&s=CF1to-d12LayZYD3KXqVMQQnVAHQgayRLlEMDuBMjk4&e=> [cid:image001.png@01D59328.7F8364B0] Bac From: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>> Sent: Thursday, October 31, 2019 10:32 AM To: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>>; support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>; Hugill, Paul <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>; Ahmed Mohammed (Accenture) <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: Re: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Actually one quick question. We have some scenarios where SSO is enabled and others (entirely different Azure environments) where it is not. The following URL structure appears to work in both scenarios based on our tests:https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration?appid=CLIENT_ID<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Flogin.microsoftonline.com-252FTENANT-5FID-252F.well-2Dknown-252Fopenid-2Dconfiguration-253Fappid-253DCLIENT-5FID-26data-3D02-257C01-257Cbachoang-2540microsoft.com-257C37f5e9209a254bd2049608d75e177378-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637081327135128711-26sdata-3DpCkE-252B-252FOUSh3fSnL-252Fk59BbUy44QgBhcIJ9us3JWbq-252BSc-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DYgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto%26r%3DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18%26m%3Da6ed84NzDW4b8zWddEIXMOk3iW8dGlPYR4L986I4ols%26s%3DkoB4G4okfQf0qeTt1NYC5i6bOlfQKTgfdE7k_rudiCU%26e%3D&data=02%7C01%7Cbachoang%40microsoft.com%7C9bd63b39f481419f9f8d08d761c44482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637085367927516396&sdata=g2y7FmdftJcN%2BGle2drDicDGVW99CuRfOmZnOeltvS4%3D&reserved=0> Can you confirm that this is the case? As in, will the above URL always point to the correct signing cert url regardless of whether SSO is selected or not? Thanks Luke From: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Date: Thursday, 31 October 2019 at 15:08 To: "Ferris, Luke" <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>, support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>, "Hugill, Paul" <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>, "Ahmed Mohammed (Accenture)" <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: RE: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Sure no problem Luke. Is there anything else you need for this case or is it good to close out? Bac From: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>> Sent: Thursday, October 31, 2019 3:30 AM To: support <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>; Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>>; Hugill, Paul <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: Jeff MacLeod <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>; Ahmed Mohammed (Accenture) <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>> Subject: Re: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development Thanks Bac, that’s super helpful. We googled and googled but couldn’t find any reference to the blog or info mentioned. Thanks for sending it through. Luke From: Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Reply-To: "support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>" <support@mail.support.microsoft.com<mailto:support@mail.support.microsoft.com>>, Bac Hoang <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Date: Thursday, 31 October 2019 at 00:40 To: "Hugill, Paul" <Paul.Hugill@Bain.com<mailto:Paul.Hugill@Bain.com>> Cc: "jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>" <jmacleod@microsoft.com<mailto:jmacleod@microsoft.com>>, "v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>" <v-ahmoha@microsoft.com<mailto:v-ahmoha@microsoft.com>>, "Ferris, Luke" <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>, "bachoang@microsoft.com<mailto:bachoang@microsoft.com>" <bachoang@microsoft.com<mailto:bachoang@microsoft.com>> Subject: 119103022002411 Application Token Issuer Not Valid Azure Active Directory App Integration and Development [Image removed by sender. email template header] Hello Paul, My name is Bac Hoang and I am the Microsoft Support Engineer who will be working with you on support request 119103022002411. You can reach me using the contact information in my signature. I understand that you are getting a token with a signing kid not found in the https://login.microsoftonline.com/common/discovery/keys<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Flogin.microsoftonline.com-5Fcommon-5Fdiscovery-5Fkeys-2526d-253DDwQGaQ-2526c-253DYgvAunA6A5zFF9cMHqSY3cSQ3MG-2DauFOlwIB7e1Llto-2526r-253DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18-2526m-253D2-5FfT1Z66HXQ6M9ZzgMKeYmen6QYzx8MgzF91fZpALfw-2526s-253DYVnWHHaXCAbEDB-2Dray3qA1yprbpBi510AHhMc8VGfk8-2526e-253D-26data-3D02-257C01-257Cbachoang-2540microsoft.com-257C00a8c677c736469dcafe08d75ddc7981-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637081073836655527-26sdata-3D6T-252Bby6nYXtWeZWKYzsMcwOCkX-252FVDBSIM7-252BtUuyguK8s-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DYgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto%26r%3DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18%26m%3DzHiOSBYWXXx7T33oS19K0GQdgPQ5TWqd0KvtmzBSUgc%26s%3DOXIQf29U358s-MRxDuvrdcjRdUxuJiN49s3AFdquIvQ%26e%3D&data=02%7C01%7Cbachoang%40microsoft.com%7C9bd63b39f481419f9f8d08d761c44482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637085367927526351&sdata=aZ4LNnWkUMveUvCEHuPnXbW7Yo2P3oGsHLkC%2BaYbxHw%3D&reserved=0> end point. I looked at your token and it's the access token for a resouce application with the following app id / display name: App ID : bd7ef9fa-76a6-4d20-986b-50fc44931fae / ADAPT S7PJ Backend That resource application is an Enterprise App with Single Sign-on feature configured hence it's using its own certificate to sign the token. This is why you would not be able to find the signing kid at the common/discovery/keys endpoint. Take a look at the blog for more info on how signing key kid works in the Enterprise App: https://blogs.aaddevsup.xyz/2019/05/understanding-azure-ad-token-signing-certificate-kid/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fblogs.aaddevsup.xyz-5F2019-5F05-5Funderstanding-2D2Dazure-2D2Dad-2D2Dtoken-2D2Dsigning-2D2Dcertificate-2D2Dkid-5F-2526d-253DDwQGaQ-2526c-253DYgvAunA6A5zFF9cMHqSY3cSQ3MG-2DauFOlwIB7e1Llto-2526r-253DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18-2526m-253D2-5FfT1Z66HXQ6M9ZzgMKeYmen6QYzx8MgzF91fZpALfw-2526s-253D71XdtKW4c5L1vudn6BqZqGMVi-5FopMCWLS3ccDMFJ-2Dks-2526e-253D-26data-3D02-257C01-257Cbachoang-2540microsoft.com-257C00a8c677c736469dcafe08d75ddc7981-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637081073836660525-26sdata-3D1FCXMyMDbVSsYIfwmKjVbmlAzxJR4FElh2YiskN3L5k-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DYgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto%26r%3DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18%26m%3DzHiOSBYWXXx7T33oS19K0GQdgPQ5TWqd0KvtmzBSUgc%26s%3D-pMhLz-k-LZNnKCMDVtgONZklxRCXWzHtuF_e8P8akM%26e%3D&data=02%7C01%7Cbachoang%40microsoft.com%7C9bd63b39f481419f9f8d08d761c44482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637085367927536309&sdata=zJxVJZ%2BDUxWnMxUEPi6nH0NsMCs7CsESVLxZn3KcEAg%3D&reserved=0> To get to the kid info for this Enterprise applicaiton you will need to use the following applications-specific endpoint: https://login.microsoftonline.com/eb120e12-65f1-477a-be8c-fe4f65926724/discovery/keys?appid=bd7ef9fa-76a6-4d20-986b-50fc44931fae<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__login.microsoftonline.com_eb120e12-2D65f1-2D477a-2Dbe8c-2Dfe4f65926724_discovery_keys-3Fappid-3Dbd7ef9fa-2D76a6-2D4d20-2D986b-2D50fc44931fae%26d%3DDwMGaQ%26c%3DYgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto%26r%3DuvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18%26m%3D2_fT1Z66HXQ6M9ZzgMKeYmen6QYzx8MgzF91fZpALfw%26s%3Di3vd62Lc8G2QkafFVvlk7Zk2qOkYpKrhOgXvHOWi-uA%26e%3D&data=02%7C01%7Cbachoang%40microsoft.com%7C9bd63b39f481419f9f8d08d761c44482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637085367927536309&sdata=WzsEpvnyur4DsYKPvyfz3tW14fEdtGERor7kGTm2VAY%3D&reserved=0> Sincerely, Bac Hoang From: Joris Beckers <notifications@github.com<mailto:notifications@github.com>> Date: Tuesday, 12 Nov 2019, 1:17 pm To: jobec/django-auth-adfs <django-auth-adfs@noreply.github.com<mailto:django-auth-adfs@noreply.github.com>> Cc: Ferris, Luke <Luke.Ferris@Bain.com<mailto:Luke.Ferris@Bain.com>>, Author <author@noreply.github.com<mailto:author@noreply.github.com>> Subject: Re: [jobec/django-auth-adfs] Added support for enterprise app sso certificates (#87) Did you perhaps already got a reply on your question towards microsoft? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jobec_django-2Dauth-2Dadfs_pull_87-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAEWQU4KNTD5TZHTAIITW2BTQTKNFXA5CNFSM4JHKLQMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED2B5LY-23issuecomment-2D552869551&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=VYF-EYm769upaKPkjxY04OW5HK5vOP3PY1vdHjzqtt4&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AEWQU4IFI6MNBWS4BETINL3QTKNFXANCNFSM4JHKLQMA&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=DBXgWmzatgO5Y6uT1r6_evgmunnn57p4ycsiIEklYKU&e=>.

…

________________________________ This e-mail, including any attachments, contains confidential information of Bain & Company, Inc. ("Bain") and/or its clients. It may be read, copied and used only by the intended recipient. Any use by a person other than its intended recipient, or by the recipient but for purposes other than the intended purpose, is strictly prohibited. If you received this e-mail in error, please contact the sender and then destroy this e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of Bain shall be understood to be neither given nor endorsed by Bain. Any personal information sent over e-mail to Bain will be processed in accordance with our Privacy Policy (https://www.bain.com/privacy).

[LukeFerris]

Hi Joris, Did you think more on this? Would be great to roll in the change so we can point back at the main repo. Thanks 😊 Luke From: Joris Beckers <notifications@github.com> Reply-To: jobec/django-auth-adfs <reply@reply.github.com> Date: Tuesday, 12 November 2019 at 13:17 To: jobec/django-auth-adfs <django-auth-adfs@noreply.github.com> Cc: "Ferris, Luke" <Luke.Ferris@Bain.com>, Author <author@noreply.github.com> Subject: Re: [jobec/django-auth-adfs] Added support for enterprise app sso certificates (#87) Did you perhaps already got a reply on your question towards microsoft? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jobec_django-2Dauth-2Dadfs_pull_87-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAEWQU4KNTD5TZHTAIITW2BTQTKNFXA5CNFSM4JHKLQMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED2B5LY-23issuecomment-2D552869551&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=VYF-EYm769upaKPkjxY04OW5HK5vOP3PY1vdHjzqtt4&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AEWQU4IFI6MNBWS4BETINL3QTKNFXANCNFSM4JHKLQMA&d=DwMCaQ&c=YgvAunA6A5zFF9cMHqSY3cSQ3MG-auFOlwIB7e1Llto&r=uvJCB5zi8315z2S5nGWYQdM0dHuuGojbCycJ4avMN18&m=dkj7OJ9dcABDmO8YFc2RbA8xFOozWs7bv-c27SZYpnk&s=DBXgWmzatgO5Y6uT1r6_evgmunnn57p4ycsiIEklYKU&e=>.

…

________________________________ This e-mail, including any attachments, contains confidential information of Bain & Company, Inc. ("Bain") and/or its clients. It may be read, copied and used only by the intended recipient. Any use by a person other than its intended recipient, or by the recipient but for purposes other than the intended purpose, is strictly prohibited. If you received this e-mail in error, please contact the sender and then destroy this e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of Bain shall be understood to be neither given nor endorsed by Bain. Any personal information sent over e-mail to Bain will be processed in accordance with our Privacy Policy (https://www.bain.com/privacy).