From 0ce49de2ce67cdfc93a9b41ef1daad9ac52e09d8 Mon Sep 17 00:00:00 2001 From: Asif A Siddiqi Date: Fri, 10 Oct 2025 14:39:49 -0700 Subject: [PATCH 1/2] Update claim extraction logic in ms_entra_id.go Changed claim extraction from 'iss' to 'tid' with fallback. --- providers/ms_entra_id.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go index df1f38a4..f911e35e 100644 --- a/providers/ms_entra_id.go +++ b/providers/ms_entra_id.go @@ -271,7 +271,14 @@ func (p *MicrosoftEntraIDProvider) getTenantFromToken(session *sessions.SessionS return "", fmt.Errorf("unable to get claim extractor: %v", err) } - value, exists, err := extractor.GetClaim("iss") + value, exists, err := extractor.GetClaim("tid") + + if exists && err == nil { + return value, nil + } + + // Fall back to iss claim + value, exists, err = extractor.GetClaim("iss") if !exists || err != nil { return "", fmt.Errorf("iss claim does not exist in the token") From 5bf1dd750e12bee4161b555bd3f71bb9a67de6f7 Mon Sep 17 00:00:00 2001 From: Asif A Siddiqi Date: Tue, 28 Oct 2025 09:01:08 -0700 Subject: [PATCH 2/2] Update providers/ms_entra_id.go Co-authored-by: Jan Larwig --- providers/ms_entra_id.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go index f911e35e..a76b8636 100644 --- a/providers/ms_entra_id.go +++ b/providers/ms_entra_id.go @@ -271,6 +271,8 @@ func (p *MicrosoftEntraIDProvider) getTenantFromToken(session *sessions.SessionS return "", fmt.Errorf("unable to get claim extractor: %v", err) } + // Use tenant id (tid) provided within the payload claims of the id token + // https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference value, exists, err := extractor.GetClaim("tid") if exists && err == nil {