Azure AD OIDC token issues

Question

Hi,

We've been using OIDC tokens with our application behind AWS ALB, and its been working fine until last week. Looks like UserInfo endpoint not returning everything AWS ALB is expecting as per OIDC protocol specs? MSFT has been advising to use /me endpoint but it doesn't return sub.

We've tried putting right scope (openid, email, profile) and manifest in Azure AD application but no luck. Any idea if there's anything change when it comes to UserInfo endpoint?

Thanks

Answer 1

Hello, there are no configurations that can be made for the userinfo and me endpoint currently. If you'd like these features to be implemented please submit feedback here : https://feedback.azure.com/forums/169401-azure-active-directory and if there's enough community support the product team will look into it and put it on the roadmap.

If you're having issues getting AWS ALB and AAD Auth working properly, I suggest filing a support ticket with Amazon to try to get further traction, as there is nothing that can be done to change what is returned from the userinfo/me endpoints currently.

It sounds like there's an issue with the AWS ALB OIDC configuration, I suggest trying to see if Amazon can relax the rules for sub. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Answer 2

Hi,

Thanks for the quick reply, the solution has been working for more than a year, so there's no new feature required here.

Something has changed last week either from MS or AWS side but unfortunately both aint got a clue, what it is that has caused this. We've engaged both MS and AWS in professional capacity but no resolution so far both blaming each other.

We're going to remove ALB authentication and do our own auth as our site is down for last 7 days because of this.

If you google you'll find tons of questions/issues people have raised on this issue.

Thanks for your help though.