Background : I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.
My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.
I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.
Question :
Is there any way other than /common endpoint to support multiple tenants?
When exactly did MS came up with /common approach, and how did people support multiple tenants before that.
Thanks,
~ Urjit
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is
https://sts.windows.net/tenant-id/.You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g.
https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.That is the value that will be in the iss claim in tokens issued by this tenant.