Failed OpenID authentication with Azure AD using OIDC

My company has Azure AD so I decided to use the XWiki OpenID connect and authenticator for user authentication on our XWiki platform. After registering the XWiki application in the AD tenant, I could fill in the following configuration settings in the xwiki.properties file.

oidc.endpoint.authorization=https://login.microsoftonline.com/4b6f7aca-fc09-4a9f-b556-3ae27582c5b9/oauth2/authorize
oidc.endpoint.token=https://login.microsoftonline.com/4b6f7aca-fc09-4a9f-b556-3ae27582c5b9/oauth2/token
oidc.endpoint.userinfo=https://login.microsoftonline.com/4b6f7aca-fc09-4a9f-b556-3ae27582c5b9/openid/userinfo

oidc.clientid=09cbab91-c255-4ffa-b5fb-3cf11d9a9aa6

When I try to log in the wiki everything seems to work fine. I get redirected to a Microsoft login page with the URL below. (I have added line breaks and shortened some codes for readability.)

https://login.microsoftonline.com/4b6f7aca-fc09-4a9f-b556-3ae27582c5b9/oauth2/authorize?
response_type=code
&client_id=09cbab91-c255-4ffa-b5fb-3cf11d9a9aa6
&redirect_uri=http://wikiServer:8080/xwiki/oidc/authenticator/callback
&scope=openid+profile+email+address+phone
&state=d6P_FvG1N3-jJy_NEo1dE61rEuRx7PDx4EWfJzey5fM
&claims={"id_token":{"":null},"userinfo":{"":null}}

And after I entered my credentials I get redirected to the redirect URI together with a code and state.

http://wikiserver:8080/xwiki/oidc/authenticator/callback?
code=vKzCcgohJS0etL2RSYBz2KNbz96rGyHlEQ24wAsQvQG0qY9Zpf-4LwRTYHiB3ped28AoJaHF9oFre0hqz5D0yUarMfwEqYvLnJkKBdmoEFamdYDMBPo5B0hPS_LMqEMhb6atwVeN9FtAEPK...
&state=d6P_FvG1N3-jJy_NEo1dE81rEuRx7PDx4EWfJzey8fM
&session_state=741bc48c-b46c-4c23-83f3-320dc76147c8

But here it stops, I am left with a blank page. If I understand OpenID correctly the application should now be requesting a token at the token endpoint by passing the code and some other information. But nothing is happening.

I enabled debugging on the oidc extensions and was only able to get the following messages.

[http://wikiserver:8080/xwiki/oidc/authenticator/callback?
code=vKzCcgohJS0etL2RSYBz2KNbz96rGyHlEQ24wAsQvQG0qY9Zpf-4LwRTYHiB3ped28AoJaHF9oFre0hqz5D0yUarMfwEqYvLnJkKBdmoEFamdYDMBPo5B0hPS_LMqEMhb6atwVeN9FtAEPK...
&state=d6P_FvG1N3-jJy_NEo1dE81rEuRx7PDx4EWfJzey8fM
&session_state=741bc48c-b46c-4c23-83f3-320dc76147c8] 

DEBUG i.OIDCResourceReferenceHandler - OIDC: Reference: [
type = [oidc], 
parameters = [[code] =[[vKzCcgohJS0etL2RSYBz2KNbz96rGyHlEQ24wAsQvQG0qY9Zpf-4LwRTYHiB3ped28AoJaHF9oFre0hqz5D0yUarMfwEqYvLnJkKBdmoEFamdYDMBPo5B0hPS_LMqEMhb6atwVeN9FtAEPK...]], [state] = [[d6P_FvG1N3-jJy_NEo1dE81rEuRx7PDx4EWfJzey8fM]], [session_state] = [[741bc48c-b46c-4c23-83f3-320dc76147c8]]], 
reference = [Wiki xwiki], 
action = [], 
locale = [<null>]
]

My guess is that nothing happens because no action is defined in the OIDCResourceReference. But it’s not clear to me what is going wrong. Could someone help me shed some light on this?

It’s probably because of https://jira.xwiki.org/browse/OIDC-46. I guess Azure require the OIDC client to authenticate when asking the token.

How were you fixed this problem at the end ?

I doubt it’s fixed.

This is indeed not fixed. I now use the ldap-authenticator. If OIDC-46 ever gets solved, I will probably give this another try.

Have you fix this problem with Azure? Is it working now for you?

Everything works perfect. If sb needs this working with Microsoft Graph

oidc.endpoint.userinfo=https://graph.microsoft.com/v1.0/me?$select=id,mailNickname,jobTitle,givenName

id MUST exists in SELECT - it is sub alternative in MS GRAPH
you can add more properties separate by ,

Use file from attachment (remove .log from filename) and place it in
/xwikiPermanentDirectory/extension/repository/com%2Enimbusds%3Aoauth2-oidc-sdk/7%2E3#

com.nimbusds:oauth2-oidc-sdk-7.3.jar.log (476.4 KB)