From f919535475f7821249fad7ec61ca6fd8c0be6dae Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 30 Aug 2021 16:37:29 -0700
Subject: [PATCH] Add an extra way to distinguish Azure and Azure OIDC tokens.

We used to distinguish these tokens using the azp claim, but this
claim does not appear on new azure oidc tokens, at least on some
configurations.

This change will try to load by audience (client id) if the token
contains an email, required for OIDC.
---
 authority/provisioner/collection.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go
index 3ba98a23..caf46ca9 100644
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@@ -37,8 +37,9 @@ func (p provisionerSlice) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }
 // provisioner.
 type loadByTokenPayload struct {
 	jose.Claims
-	AuthorizedParty string `json:"azp"` // OIDC client id
-	TenantID        string `json:"tid"` // Microsoft Azure tenant id
+	Email           string `json:"email"` // OIDC email
+	AuthorizedParty string `json:"azp"`   // OIDC client id
+	TenantID        string `json:"tid"`   // Microsoft Azure tenant id
 }
 
 // Collection is a memory map of provisioners.
@@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 			return p, ok
 		}
 	}
-	// Try with tid (Azure)
+	// Try with tid (Azure, Azure OIDC)
 	if payload.TenantID != "" {
+		// Try to load an OIDC provisioner first.
+		if payload.Email != "" {
+			if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
+				return p, ok
+			}
+		}
+		// Try to load an Azure provisioner.
 		if p, ok := c.LoadByTokenID(payload.TenantID); ok {
 			return p, ok
 		}
 	}
+
 	// Fallback to aud
 	return c.LoadByTokenID(payload.Audience[0])
 }