Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD: access token validation via oidc_jwt_keyfile endpoint #10

Open
shawnhankim opened this issue Oct 15, 2022 · 1 comment
Open

Azure AD: access token validation via oidc_jwt_keyfile endpoint #10

shawnhankim opened this issue Oct 15, 2022 · 1 comment

Comments

@shawnhankim
Copy link
Member

shawnhankim commented Oct 15, 2022
edited
Loading

Issue:

  1. Most of IdPs' $oidc_jwt_keyfile endpoint works for access token validation. But Azure AD doesn't work as the following message:

    [info] 87#87: *500 JWT RS validation failed kid:"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI" (SSL: error:04091068:rsa routines:int_rsa_verify:bad signature), client: 172.18.0.1, server: nginx.azure.test, request: "GET /v1/api/example HTTP/1.1", host: "nginx.azure.test:15000"
    • Because, if nonce includes in access token, validating signature with JWT.io or JWT SecurityToken won't success.

  2. To solve the #1, we can add "[CLIENT_ID]/.default" in authorization endpoint of Azure AD.

  3. However, the access token doesn't work for userinfo endpoint as a Bearer in the header of API request although the validation works.

    {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError": 
{"date":"2022-10-15T07:13:25","request-id":"xxxx-xxx-xxx-xxx-xxxx","client-request-id":"xxxx-xxx-xxx-xxx-xxxx"}}}

  4. To successfully get 200 response from the /userinfo endpoint, we either can remove the scope in the authorization endpoint or find to solve invalid audience.

References:
@shawnhankim
Copy link
Member Author

Azure AD Access Token Types

There are two main types of Azure AD access token, summarised below, and our problem is that we are using the wrong type of token:

Audience Description
Microsoft APIs These contain a nonce field in the JWT header and are not designed for custom APIs such as ours to validate
Custom APIs Custom APIs need to get a token that can be validated, and we are not yet configured to enable this

If we get a token with a nonce field in the JWT header, then it is intended for Microsoft APIs to validate, and will always fail standard signature based validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shawnhankim