The Azure China environment needs to update the domain name.

[metestone]

Jenkins and plugins versions report

Environment

After integrating Jenkins with Azure AD, the following error is displayed upon login:
rejected due to invalid claims or other invalid content. Additional details: [[12] Issuer (iss) claim value (https://login.partner.microsoftonline.cn/e670f151-e1b6-401a-a849-dab5de1d68ec/v2.0) doesn't match expected value of https://login.chinacloudapi.cn/e670f151-e1b6-401a-a849-dab5de1d68ec/v2.0]

the expected host (login.chinacloudapi.cn) need to update to login.partner.microsoftonline.cn.
so it can support the Azure China AAD environment.

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows11 pro.

Reproduction steps

Setup In Microsoft Entra ID
Setup Microsoft Entra ID permissions

Expected Results

Login with Azure AD successfully.

Actual Results

with error.

Anything else?

No response

Are you interested in contributing a fix?

No response

[KalleOlaviNiemitalo]

According to https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens, the issuer of the token should match what is in the OpenID discovery document. I haven't yet checked whether the plugin loads that document or hardcodes the expected issuer.

Microsoft documents the base URI of the "Microsoft Entra China operated by 21Vianet" authentication endpoint as https://login.partner.microsoftonline.cn, at https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud#microsoft-entra-authentication-endpoints. This was changed in MicrosoftDocs/entra-docs@9acc385 and MicrosoftDocs/entra-docs@e0fe90f.

[KalleOlaviNiemitalo]

Here it sets the expected issuer:

azure-ad-plugin/src/main/java/com/microsoft/jenkins/azuread/Utils.java

Line 80 in 85263ce

final String expectedIssuer = String.format("%s%s/v2.0", authorityHost, tenantId);

azure-ad-plugin/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java

Lines 223 to 224 in 85263ce

	private final Supplier<JwtConsumer> jwtConsumer = Suppliers.memoize(() ->
	Utils.JwtUtil.jwt(getAuthorityHost(getAzureEnvironmentName()), getClientId(), getTenant()));

azure-ad-plugin/src/main/java/com/microsoft/jenkins/azuread/AzureEnvironment.java

Lines 18 to 29 in 85263ce

	static String getAuthorityHost(String azureEnvironmentName) {
	switch (azureEnvironmentName) {
	case AZURE_CHINA:
	return AzureAuthorityHosts.AZURE_CHINA;
	case AZURE_US_GOVERNMENT_L4:
	case AZURE_US_GOVERNMENT_L5:
	return AzureAuthorityHosts.AZURE_GOVERNMENT;
	case AZURE_PUBLIC_CLOUD:
	default:
	return AzureAuthorityHosts.AZURE_PUBLIC_CLOUD;
	}
	}

https://github.com/Azure/azure-sdk-for-java/blob/d95e5973af66b314dbfea970874661f5866412e4/sdk/identity/azure-identity/src/main/java/com/azure/identity/AzureAuthorityHosts.java#L25-L28

https://github.com/Azure/azure-sdk-for-java/issues doesn't seem to have any issues requesting that AzureAuthorityHosts.AZURE_CHINA be changed to "login.partner.microsoftonline.cn".

[timja]

The Azure China environment needs to update the domain name

Are you hitting an issue with it set as-is? If so can you request or send a PR to https://github.com/Azure/azure-sdk-for-java/issues

We consume the official microsoft SDK and can easily update once they publish a release

[KalleOlaviNiemitalo]

I'm not sure the constants in AzureAuthorityHosts are intended to be used for JWT issuer validation.

Both https://login.chinacloudapi.cn/common/v2.0/.well-known/openid-configuration and https://login.partner.microsoftonline.cn/common/v2.0/.well-known/openid-configuration currently include "issuer": "https://login.partner.microsoftonline.cn/{tenantid}/v2.0". So if this plugin retrieved the OpenID discovery document from there and validated the JWT issuer against that, then it would work.

In the spring-cloud-azure-autoconfigure part of Azure SDK for Java, the AadJwtIssuerValidator and AadTrustedIssuerRepository classes seem intended for validating JWT issuers. However, they have "https://sts.chinacloudapi.cn/" rather than "https://login.chinacloudapi.cn/". If the JWTs have previously had something starting with "https://login.chinacloudapi.cn/" as the issuer, then I don't understand how those classes could have worked. Anyway, I don't think this plugin uses spring-cloud-azure-autoconfigure.

[timja]

then I don't understand how those classes could have worked

Unsure if anyone has used it in china before. I have no way of testing it.

We've had a few requests for US Government but not China before IIRC.

[metestone]

The Azure China environment needs to update the domain name

Are you hitting an issue with it set as-is? If so can you request or send a PR to https://github.com/Azure/azure-sdk-for-java/issues

We consume the official microsoft SDK and can easily update once they publish a release

I have submitted the issue.
Azure/azure-sdk-for-java#44804

[billwert]

Hello! I'm one of the owners of the Azure Identity SDK for Java. Thanks for bringing this to our attention; we'll look at updating the hosts.

With that said,

Both https://login.chinacloudapi.cn/common/v2.0/.well-known/openid-configuration and https://login.partner.microsoftonline.cn/common/v2.0/.well-known/openid-configuration currently include "issuer": "https://login.partner.microsoftonline.cn/{tenantid}/v2.0". So if this plugin retrieved the OpenID discovery document from there and validated the JWT issuer against that, then it would work.

This is correct. Your library should be validating the issuer against the configuration document, not against the values in the AzureAuthorityHosts enum. You can make this fix independently of us updating the values (which may take some time.)