Pitfalls setting up OIDC with ADFS

[spryffee]

Hello. Thanks all who maintain and contribute to this gem.

I use it for SSO with ADFS in my project. While setting up I was getting the error

...
DEBUG -- omniauth: (openid_connect) Callback phase initiated.
ERROR -- omniauth: (openid_connect) Authentication failure! Access Token Invalid or Expired: OpenIDConnect::Unauthorized, Access Token Invalid or Expired
...

which made me banging my head on the keyboard, because the error message was quite far from the original issue. I dived into the library with prints to figure it out. As I understood, the problem is that AD FS UserInfo endpoint does not expect client requests additional claims, it simply does not support it (ADFS FAQ)
So, the original error returned by provider when client requests userinfo_endpoint on callback phase is below

MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:<my_identifier>' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'.

Thanks extra_authorize_params option I was able to set the resource uri that the provider expects. Here is my working config

Rails.application.config.middleware.use OmniAuth::Builder do
  provider  :openid_connect,
            scope: ['openid', 'profile', 'email'],
            issuer: 'https://provider.example.com/adfs',
            extra_authorize_params: {"resource": "urn:microsoft:userinfo"},
            discovery: true,
            client_options: {
              port: 443,
              scheme: 'https',
              host: 'provider.example.com',
              authorization_endpoint: 'https://provider.example.com/adfs/oauth2/authorize',
              token_endpoint: 'https://provider.example.com/adfs/oauth2/token',
              userinfo_endpoint: 'https://provider.example.com/adfs/userinfo',
              identifier: ENV["OIDC_IDENTIFIER"],
              secret: ENV["OIDC_SECRET"],
              redirect_uri: "https://example.com/auth/openid_connect/callback"
            }
end

Maybe it makes sense to add a note about resource uri for AD FS. Or maybe to add an option that skips requesting userinfo_endpoint at all. What do you think?
I'm not sure it is the case for having another omniauth provider.

P.S. Minor NOTE for those who will be using this as manual. After fixing the issue, you may still be getting "Access Token Invalid or Expired" again from time to time. In my case it totally gone after I configured ntp on server.

[davidwessman]

I am not 100% on what your problem is caused by, but I am also in need to skipping requesting the userinfo_endpoint #145.
But it seems to be used for access_tokens somehow

[metanerd]

Thank you for opening this issue! I encountered the same error trying to use AD FS issuer with openid_connect on a self-managed GitLab. Applying your suggestions, spryffee, I encounter now a different error:
Sign-in using Openid Connect auth failed: Email can't be blank . I got one step further thanks to your invested time. 🎉