Describe the bug
When using Microsoft Entra ID v2 as the IdP for OIDC, access token verification fails because the token endpoint returns v1 access tokens for the MS Graph API, which has different JWKS than v2. This causes the v1 access token to be verified against the v2 JWKS, which fails because it was signed with the v1 JWKS.
This Auth0 article also confirms that it is not possible to get v2 tokens from the MS Graph API.
The ability to override the JWKS URI with config/environment variables (e.g. PROXY_OIDC_JWKS_URI) would be a fix for this issue.
Steps to reproduce
- Set up OIDC with Microsoft Entra ID for OpenCloud
- Attempt to sign in
Expected behavior
Access token verification succeeds and users are able to login.
Actual behavior
Access token verification fails and users are not able to login.
Logs:
{"level":"error","service":"proxy","error":"failed to verify access token: token signature is invalid: crypto/rsa: verification error","authenticator":"oidc","path":"/graph/v1.0/me","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0","client.address":"xxx.xxx.xxx.xxx,10.244.2.135","network.peer.address":"","network.peer.port":"","time":"2026-04-27T03:20:10Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:209","message":"failed to authenticate the request"}Setup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
Details
OC_OIDC_ISSUER: https://login.microsoftonline.com/<TENANT ID>/v2.0
OC_OIDC_CLIENT_ID: <CLIENT ID>
OC_EXCLUDE_RUN_SERVICES: idp
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
PROXY_USER_OIDC_CLAIM: preferred_username
PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: roles
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
Describe the bug
When using Microsoft Entra ID v2 as the IdP for OIDC, access token verification fails because the token endpoint returns v1 access tokens for the MS Graph API, which has different JWKS than v2. This causes the v1 access token to be verified against the v2 JWKS, which fails because it was signed with the v1 JWKS.
This Auth0 article also confirms that it is not possible to get v2 tokens from the MS Graph API.
The ability to override the JWKS URI with config/environment variables (e.g.
PROXY_OIDC_JWKS_URI) would be a fix for this issue.Steps to reproduce
Expected behavior
Access token verification succeeds and users are able to login.
Actual behavior
Access token verification fails and users are not able to login.
Logs:
{"level":"error","service":"proxy","error":"failed to verify access token: token signature is invalid: crypto/rsa: verification error","authenticator":"oidc","path":"/graph/v1.0/me","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0","client.address":"xxx.xxx.xxx.xxx,10.244.2.135","network.peer.address":"","network.peer.port":"","time":"2026-04-27T03:20:10Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:209","message":"failed to authenticate the request"}Setup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
Details