Skip to content

Validate iss and aud claims on AAD/B2C OIDC login ID token decoders#49423

Merged
rujche merged 3 commits into
mainfrom
rujche/main/fix-bug-in-AadOidcIdTokenDecoderFactory
Jun 11, 2026
Merged

Validate iss and aud claims on AAD/B2C OIDC login ID token decoders#49423
rujche merged 3 commits into
mainfrom
rujche/main/fix-bug-in-AadOidcIdTokenDecoderFactory

Conversation

@rujche

@rujche rujche commented Jun 9, 2026

Copy link
Copy Markdown
Member

Description

AadOidcIdTokenDecoderFactory and AadB2cOidcIdTokenDecoderFactory previously only verified the token signature and expiry on the oauth2Login path, never validating the iss (issuer) or aud (audience) claims. This allowed users from unauthorized tenants to sign in to multi-tenant applications that rely on the issuer/tenant claim for tenant restriction.

Both factories now set a JWT validator that runs OidcIdTokenValidator (audience, expiry, issued-at, subject) plus issuer validation. For AAD single-tenant the issuer must belong to the configured tenant; for multi-tenant (common/organizations/consumers) the issuer must be a trusted Microsoft issuer consistent with the token's own tid claim. B2C validates against the trusted B2C issuers.

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

AadOidcIdTokenDecoderFactory and AadB2cOidcIdTokenDecoderFactory previously only verified the token signature and expiry on the oauth2Login path, never validating the iss (issuer) or aud (audience) claims. This allowed users from unauthorized tenants to sign in to multi-tenant applications that rely on the issuer/tenant claim for tenant restriction.

Both factories now set a JWT validator that runs OidcIdTokenValidator (audience, expiry, issued-at, subject) plus issuer validation. For AAD single-tenant the issuer must belong to the configured tenant; for multi-tenant (common/organizations/consumers) the issuer must be a trusted Microsoft issuer consistent with the token's own tid claim. B2C validates against the trusted B2C issuers.
Copilot AI review requested due to automatic review settings June 9, 2026 01:54
@rujche rujche requested review from a team, Netyyyy, moarychan and saragluna as code owners June 9, 2026 01:54
@rujche rujche self-assigned this Jun 9, 2026
@github-actions github-actions Bot added the azure-spring All azure-spring related issues label Jun 9, 2026
@rujche rujche added bug This issue requires a change to an existing behavior in the product in order to be resolved. azure-spring-aad Spring active directory related issues. azure-spring-aad-b2c Spring active directory b2c related issues. labels Jun 9, 2026
@rujche rujche moved this from Todo to In Progress in Spring Cloud Azure Jun 9, 2026
@rujche rujche added this to the 2026-07 milestone Jun 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens Spring Cloud Azure’s oauth2Login ID token validation for both AAD and AAD B2C by adding explicit iss (issuer) and aud (audience) claim validation in the ID token decoder factories. This closes a gap where previously only signature and timestamp checks were performed, allowing tokens from unauthorized tenants to be accepted in some multi-tenant configurations.

Changes:

  • Update AadOidcIdTokenDecoderFactory to apply OidcIdTokenValidator (standard OIDC ID token claim checks) plus issuer validation (single-tenant: configured tenant; multi-tenant: issuer must match a trusted Microsoft issuer consistent with tid).
  • Update AadB2cOidcIdTokenDecoderFactory to apply OidcIdTokenValidator plus issuer validation against trusted B2C issuers derived from configured tenant/user flows.
  • Add focused unit tests for both factories and document the fix in sdk/spring/CHANGELOG.md.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/security/AadB2cOidcIdTokenDecoderFactory.java Adds OIDC ID token claim validation + B2C issuer validation to the login ID token decoder.
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/configuration/AadB2cAutoConfiguration.java Wires AadB2cProperties into the decoder factory bean so issuer validation can be configured.
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadOidcIdTokenDecoderFactory.java Adds OIDC ID token claim validation + single-tenant/multi-tenant issuer validation, caching decoders per registration.
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadOAuth2ClientConfiguration.java Updates bean construction to pass AadAuthenticationProperties into the updated decoder factory constructor.
sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aadb2c/security/AadB2cOidcIdTokenDecoderFactoryTests.java New unit tests validating trusted/untrusted issuer behavior and audience rejection for B2C login tokens.
sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadOidcIdTokenDecoderFactoryTests.java New unit tests for single-tenant and multi-tenant issuer validation logic and audience rejection.
sdk/spring/CHANGELOG.md Records the security/bug fix for oauth2Login ID token issuer/audience validation.

@rujche

rujche commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

/azp run java - spring - tests

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@rujche

rujche commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

/azp run java - spring - tests

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@rujche rujche merged commit 4b547c9 into main Jun 11, 2026
82 checks passed
@rujche rujche deleted the rujche/main/fix-bug-in-AadOidcIdTokenDecoderFactory branch June 11, 2026 01:53
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Spring Cloud Azure Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues. azure-spring-aad-b2c Spring active directory b2c related issues. bug This issue requires a change to an existing behavior in the product in order to be resolved.

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants