From 097a918da7397665d7b64a50c9fe234313065659 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 30 Aug 2021 16:36:18 -0700
Subject: [PATCH 1/2] Fix tests when we create re-use a token with a new
 authority.

---
 authority/authority_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/authority/authority_test.go b/authority/authority_test.go
index 7604ec6b..1e18a24f 100644
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@@ -11,6 +11,7 @@ import (
 	"net"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
@@ -82,6 +83,10 @@ func testAuthority(t *testing.T, opts ...Option) *Authority {
 	}
 	a, err := New(c, opts...)
 	assert.FatalError(t, err)
+	// Avoid errors when test tokens are created before the test authority. This
+	// happens in some tests where we re-create the same authority to test
+	// special cases without re-creating the token.
+	a.startTime = a.startTime.Add(-1 * time.Minute)
 	return a
 }
 

From f919535475f7821249fad7ec61ca6fd8c0be6dae Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 30 Aug 2021 16:37:29 -0700
Subject: [PATCH 2/2] Add an extra way to distinguish Azure and Azure OIDC
 tokens.

We used to distinguish these tokens using the azp claim, but this
claim does not appear on new azure oidc tokens, at least on some
configurations.

This change will try to load by audience (client id) if the token
contains an email, required for OIDC.
---
 authority/provisioner/collection.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go
index 3ba98a23..caf46ca9 100644
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@@ -37,8 +37,9 @@ func (p provisionerSlice) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }
 // provisioner.
 type loadByTokenPayload struct {
 	jose.Claims
-	AuthorizedParty string `json:"azp"` // OIDC client id
-	TenantID        string `json:"tid"` // Microsoft Azure tenant id
+	Email           string `json:"email"` // OIDC email
+	AuthorizedParty string `json:"azp"`   // OIDC client id
+	TenantID        string `json:"tid"`   // Microsoft Azure tenant id
 }
 
 // Collection is a memory map of provisioners.
@@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 			return p, ok
 		}
 	}
-	// Try with tid (Azure)
+	// Try with tid (Azure, Azure OIDC)
 	if payload.TenantID != "" {
+		// Try to load an OIDC provisioner first.
+		if payload.Email != "" {
+			if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
+				return p, ok
+			}
+		}
+		// Try to load an Azure provisioner.
 		if p, ok := c.LoadByTokenID(payload.TenantID); ok {
 			return p, ok
 		}
 	}
+
 	// Fallback to aud
 	return c.LoadByTokenID(payload.Audience[0])
 }