Incorrect OpenID Configuration results in 500 #1714
Description
Due to a misconfiguration of a custom identity provider it is possible to leave a Static Web App in a non-functional state with no feedback as to why the site isn't loading. It simply returns a "500" error state. This issue has been opened to request a more graceful failure state, and to provide a reference to anyone else who runs into the same problem.
Here's an example auth configuration based on using the a new Entra External ID tenant. Using this will result in a 500 internal server error.
{
"auth": {
"identityProviders": {
"customOpenIdConnectProviders": {
"ext": {
"registration": {
"clientIdSettingName": "OPENID_CLIENT_ID",
"clientCredential": {
"clientSecretSettingName": "OPENID_CLIENT_SECRET"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://[tenant].onmicrosoft.com/[tenant].onmicrosoft.com/v2.0/.well-known/openid-configuration?appid=[appId]"
}
},
"login": {
"nameClaimType": "name",
"scopes": ["openid", "email", "profile"],
"loginParameterNames": []
}
}
}
}
}
}The failure is that the wellKnownOpenIdConfiguration is:
https://[tenant].onmicrosoft.com/[tenant].onmicrosoft.com/v2.0/.well-known/openid-configuration?appid=[appId]
But it should be:
https://[tenant].ciamlogin.com/[tenant].onmicrosoft.com/v2.0/.well-known/openid-configuration?appid=[appId]
This is very subtly wrong (it should be ciamlogin.com not onmicrosoft.com). The onmicrosoft.com version doesn't resolve to a valid domain. As a result, the Static Web App fails with a 500 Internal Server Error.
To Reproduce
Steps to reproduce the behavior:
- Set up a static web app and add a configuration with the incorrect
wellKnownOpenIdConfiguration. - Visit the site
- See a 500 internal server error
Expected behavior
There doesn't seem to be a good failure path for issues with the static web app config. I'd suggest updating the 500 message for Static Web Apps to indicate that there's a misconfiguration in the auth area.