From b1937ba1a94bd5a95c73668d0a1aa42b9c035e51 Mon Sep 17 00:00:00 2001
From: JB <jb@putit.org>
Date: Tue, 5 Sep 2023 14:25:32 +0200
Subject: [PATCH 1/2] Microsoft Azure multi tenant support for issuer
 validation when verifying JWT claims

---
 src/OpenIDConnectClient.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
index 6aa80b17..00fe9f1c 100644
--- a/src/OpenIDConnectClient.php
+++ b/src/OpenIDConnectClient.php
@@ -1204,6 +1204,10 @@ protected function verifyJWTClaims($claims, string $accessToken = null): bool
             $len = ((int)$bit)/16;
             $expected_at_hash = $this->urlEncode(substr(hash('sha'.$bit, $accessToken, true), 0, $len));
         }
+        // check for tenantid as used by Microsoft Azure
+        if(isset($claims->tid) && strpos($this->getWellKnownIssuer(), "{tenantid}")){
+            $this->setIssuer(str_replace("{tenantid}", $claims->tid, $this->getWellKnownIssuer()));
+        }
         return (($this->validateIssuer($claims->iss))
             && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())

From e3b9cf724e58c17a6a533d09d02c24df6e8c161e Mon Sep 17 00:00:00 2001
From: JB <jb@putit.org>
Date: Tue, 5 Sep 2023 14:59:01 +0200
Subject: [PATCH 2/2] Microsoft Azure multi tenant support for issuer
 validation when verifying JWT claims

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81f127d2..2243a325 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [unreleased]
+* Microsoft Azure multi tenant support for issuer validation when verifying JWT claims #386 
 * User-Agent is set for any HTTP method in fetchURL() (not just POST). #382
 * Update visibility of getWellKnownConfigValue to protected. #363
 * Fixed issue on authentication for php8. #354
@@ -16,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Update well known config value function response types #376
 
 ### Added
+- Microsoft Azure multi tenant support for issuer validation when verifying JWT claims #386 
 - Support for signed and encrypted UserInfo response. #305
 - Support for signed and encrypted ID Token. #305