[Bug] Do not rely on "endswith domain" for issuer validation

[bgavrilMS]

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/msal/authority.py#L155 shows a pattern of validating the OIDC issuer (a defense in depth initiative) which uses endswith(domain). This is incorrect, as a fake domain can be "fakeb2clogin.com" and would pass the filter.

The solution is to replace with a stronger endswith("."+domain), e.g. endswith(".b2clogin.com")

Please audit the other MSALs as part of this.

[github-actions]

This issue is related to security. Please pay attention.

Powered by issue-sentinel