-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Bearer error="invalid_token", error_description="The issuer '(null)' is invalid" in v1.14.0 #1310
Comments
Thanks @ThomasBarnekow for the heads-up and detailed repros. Meanwhile, if you want to set the access token version of your web API to v2.0, you need to do it in the app registration. See https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-app-registration#accepted-token-version |
Thanks, @jmprieur for the super-quick response. I have quickly checked whether using the v2.0 endpoint makes a difference. It does! Using |
Thanks for the update, @ThomasBarnekow |
Thanks for the hint, @jmprieur. I needed an additional claim (and decided to use the I used the Would you agree? |
I guess so, @ThomasBarnekow |
@jmprieur and @hpsin, am I right in assuming that the I created test users for development and test purposes, which do not have email addresses. For those users, there is obviously no When creating a user in Azure AD, you specify a UPN. When managing the username in Microsoft 365, you also specify the username portion of an email address and select an email domain to basically define the UPN, right? I've not seen a way for the user to specify a preferred username, so I can only assume (and actually hope) the I'm happy to ask those questions elsewhere if this is not the place for such questions. |
preferred_username and upn are not guaranteed to be equal. The same is true of email and upn. Some tenants use different UPNs and email addresses in a belief that it is more secure, which is why the claims can be mismatched. Preferred_username is only suitable for displaying a user-recognizable name to the user in the local UX, as it can change with each login (e.g. if they sign in with a UPN one day, and an email address the next). UPN is the "correct" value for a user-readable identifier for a user, but may not be recognizable to the human. |
Thanks, @hpsin. So what you are saying is that the Say the UPN and email are different and the user can sign in using only the UPN or email (but no phone number or other "name"). In that case, the |
To add to the above: I added logging for the
So for testing purposes, I changed the value of Unfortunately, this workaround is not an option for me (and for most users, probably), because I need to authenticate users from different AAD tenants. Anyway, it looks like the problem is related to |
Thanks @jlpstolwijk for this investigation. |
@jlpstolwijk, I've been trying to repro this problem. I changed the manifest of my web API to have it request for a v1.0 token, and changed the TenantId to be common, but I still don't have any error. Would you have set the issuer yourself? |
Almost - unfortunately in guest scenarios, they could sign in using their foreign-tenant UPN, and then you'd have If you're looking to ACL based off of human-readable names, it'll generally be a rough time as values change over time. If possible, I'd suggest using app role assignment within the Azure Portal instead, which gives you reliable connection between the user object and the permission you want to grant them. This works best for low-resolution granularity - e.g. "reader" and "writer" roles. If you need to use high resolution rules, you may need to build a widget for the admin that reliably turns human-names into OIDs. |
@jmprieur tenantId should be “organizations”, not common. Maybe that helps? |
@jlpstolwijk : I tried organizations too |
Hmm strange. My manifest for both angular spa (which retrieves token) and .net core api (which cheks token) have "accessTokenAcceptedVersion": null. Dont know if that makes a difference. I’ll try to see if I can post more code later, not on my laptop now. A little more code is in this other comment: |
@hpsin, thanks. I only need this for first-time user registration to match a piece of information (e.g., the username or email) that is known to the user and given to an application admin for adding the user to the application. Once the user signs in, the OID is retrieved and used for any further authentication and authorization decision. The desire is to ask a straightforward question such as "what is your email address" and be able to retrieve that piece of information from the token. However, I also need a solution for test users (in my own tenant) who don't have an email address, which is why the UPN comes into play. For all other cases, I would guess the email address is the best way. Just to confirm, in your guest scenario, is "user_domain.com" the representation of the guest user's email address (e.g., user@domain.com) or UPN? I would expect this to be the email address. Anyhow, in guest scenarios, the |
@jlpstolwijk, did you try to change |
Actually sorry, I had changed it on the client web app, not the web API. We can repro it. Thanks so much! |
Yes I tried that and it seemed to work. However, I prefer not to switch to v2, because of existing clients being logged out etc |
This is a bit tricky. If you need a valid email address, you need to ask for it explicitly. We can't guarantee that the email addresses are addressable, nor the email claim that we create for guest users. I believe the email claim on guest users is the upn of the original account. If you're looking up details against Graph, we should pull in folks from that team to give a better set of options there (which would be best) Your best bet is pulling in the oid before auth (e.g. syncing down all of the details to your app first) based on what the admin looked up and approved, and then comparing that to the oid in the token. |
@hpsin, the documentation says that the
Therefore, my very clear expectation would be that, if I configure the optional claim, the |
I'll fix the documentation there, as it's not always the case. My apologies. |
What exactly do you mean by "it's not always the case?" In Section 2.5 (Standard Claims), the OpenID Connect Basic Client Implementer's Guide 1.0 states that the
|
The email claim will always conform to the textual definition of the addr-spec syntax when present, that's not a concern at least. The problem is that the |
Included in 1.14.1 release |
Which version of Microsoft Identity Web are you using?
v1.14.0
Where is the issue?
Is this a new or an existing app?
This is an app under active development for which I have successfully used v1.12.0.
Repro
As there is no change in my code, the repro would be to update a working Web API from v1.12.0 to v1.14.0 and observe that it suddenly fails to validate tokens generated by both Postman v8.7.0 and MSAL for Angular:
On the server side, I am using ASP.NET Core 5.0 with the following configuration:
appsettings.json
Startup.ConfigureServices(IServiceCollection services)
Startup.Configure(IApplicationBuilder app, IWebHostEnvironment env)
With
app.UseRoleBasedAccessControl()
, I am inserting my own custom middleware into the pipeline. With v1.14.0, the requests no longer reach my custom middleware.I've successfully decoded and validated the tokens using both jwt.ms and jwt.io:
As you see, the
iss
claim is not null. I am wondering why I am getting"ver": "1.0"
tokens and do not know how to change that or whether that is an issue.Expected behavior
Token validation works as in v1.12.0 and no error is returned.
Actual behavior
With v1.14.0, the Web API only returns error responses with status code
401 Unauthorized
and aWWW-Authenticate
header with a value ofBearer error="invalid_token", error_description="The issuer '(null)' is invalid"
.Other information
This issue is likely related to #1167. I added a comment and only then saw it was already closed. However, it seems the root cause is not removed.
The text was updated successfully, but these errors were encountered: