Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client assertion does not work when its issuer and subject don't match #437

Closed
chewong opened this issue Sep 7, 2021 · 4 comments
Closed

client assertion does not work when its issuer and subject don't match #437

chewong opened this issue Sep 7, 2021 · 4 comments
Assignees
@siddhijain @Avery-Dunn
Labels
Enhancement A request or suggestion to improve some aspect of the library

Comments

@chewong
Copy link

chewong commented Sep 7, 2021 

public Mono<AccessToken> getToken(TokenRequestContext request)  {
    Map<String, String> env = System.getenv();
    String clientAssertion = "<jwt>";

    IClientCredential credential = ClientCredentialFactory.createFromClientAssertion(clientAssertion);
    String authority = "...";
    try {
        ConfidentialClientApplication app = ConfidentialClientApplication.builder(env.get("AZURE_CLIENT_ID"), credential).authority(authority).build();

        Set<String> scopes = new HashSet<>();
        for (String scope : request.getScopes()) scopes.add(scope);

        ClientCredentialParameters parameters = ClientCredentialParameters.builder(scopes).build();
        IAuthenticationResult result = app.acquireToken(parameters).join();
        return Mono.just(new AccessToken(result.accessToken(), result.expiresOnDate().toInstant().atOffset(ZoneOffset.UTC)));
    } catch (Exception e) {
        System.out.printf("Error creating client application: %s", e.getMessage());
        System.exit(1);
    }

    return Mono.empty();
}

I got the following error:

Error creating client application: com.nimbusds.oauth2.sdk.ParseException: Issuer and subject in client JWT assertion must designate the same client identifier

I have used msal-python, msal-go, msal-net, msal-node, and they all do not require client assertion's issuer and subject to be the same.
@chewong chewong mentioned this issue Sep 7, 2021
Closed
7 tasks
@Avery-Dunn
Copy link
Collaborator

Hello @chewong : Sorry for the delayed response. That error message is coming from a package we use, com.nimbusds.oauth2.sdk, which implements the OAuth2 spec and we use it for most of this kind of JWT parsing.

I took a quick look through the JWT client spec and it doesn't say that they need to match so I'm not sure why the dependency is checking it, and confirmed with at least the MSAL .NET folks that they library allows it like you said. We'll work on a way to get around that check, unfortunately it's a thing that some other part of the dependency calls so we may need to replace more than just this. I'll update this thread once we have the fix.

@Avery-Dunn Avery-Dunn self-assigned this Sep 20, 2021
@Avery-Dunn Avery-Dunn added the Enhancement A request or suggestion to improve some aspect of the library label Sep 20, 2021
@siddhijain siddhijain self-assigned this Jan 19, 2022
siddhijain added a commit that referenced this issue Jan 25, 2022
@siddhijain
Issue #437 fix - Drop validation on subject and issuer values
04be4b9
Avery-Dunn added a commit that referenced this issue Jan 27, 2022
@Avery-Dunn @sangonzal @siddhijain
Release 1.11.1 (#461)
770a8fe 
* Allow empty set for scopes. Remove empty string if included in scopes for silent request

* Trim scopes

* Minor code formatting applied to most files (#417)

* Initial commit

* Remove info flagged by automated build step (#440)

* Remove info flagged by automated build step

* Remove unneeded references and test for old Azure Germany cloud

* Issue #437 fix - Drop validation on subject and issuer values

* Fixed tests

* Created new app to fix failing tests

* Moving tests to an existing file

* Adding copyright line

* Adding comments

* Bump version numbers for 1.11.1 release (#460)

Co-authored-by: Santiago Gonzalez <sagonzal@microsoft.com>
Co-authored-by: Santiago Gonzalez <35743865+sangonzal@users.noreply.github.com>
Co-authored-by: siddhijain <siddhijain@microsoft.com>
Co-authored-by: siddhijain <siddhi0811@gmail.com>
@siddhijain
Copy link
Contributor

@chewong Latest version of MSAL(1.11.1) is now released that contains fix of this issue.

nclaeys added a commit to nclaeys/microsoft-authentication-library-for-java that referenced this issue Feb 7, 2022
@nclaeys
fix: request oauth tokens correctly for jwt auth
101759a 
The customJwtAuthentication class did not provide the same behavior as the JwtAuthentication class of nimbusds library.
The fix for AzureAD#437 is not sufficient to use workload-identity with this msal library. I updated the customJwtAuthentication to make sure it sets the correct body when requesting oauth tokens.
@nclaeys nclaeys mentioned this issue Feb 7, 2022
Merged
@vdzhuvinov
Copy link

FYI v9.42 of the Nimbus OAuth / OIDC SDK got a fix to support iss != sub:

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/393/allow-issuer-and-subject-in-client-jwt

@siddhijain
Copy link
Contributor

Thanks for letting us know @vdzhuvinov !

@bgavrilMS bgavrilMS moved this to Done (in next release) in MSAL Java Customer Trust Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@siddhijain siddhijain

@Avery-Dunn Avery-Dunn

Labels
Enhancement A request or suggestion to improve some aspect of the library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vdzhuvinov @chewong @siddhijain @Avery-Dunn