-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues in verifying signature of Bearer token generated for azure ad. #32701
Comments
@jainhitesh9998 Hi, I wonder if it is one of those cases which requires preprocessing Azure tokens with the nonce since without it the signature is indeed invalid, @pmlopes, this is that case, right ? |
@jainhitesh9998 Can you create a test tenant please, and paste here the token and the public test tenant's JWK key ? My understanding this issue is specific to Azure enterprise tenants |
I'll check if i can share the exact jwks and token from the tenant. One behaviour i've noticed is that bearer token signature is not verifiable, but it is able to get userinfo from the userinfo endpoint before failing at signature verification step. I'm able to verify the idtoken though. { |
Done because quarkusio#32701 was left as `needs-triage`
Done because quarkusio#32701 was left as `needs-triage`
@jainhitesh9998 Sure, I appreciate copying the tokens from the production tenant here is sensitive, which is why I thought you could create a test tenant. Right, at the moment the indirect access token verification via the UserInfo acquisition is only possible for binary/opaque access tokens but for JWT either the local verification or remote introspection must succeed. I'll need to think how to handle this case, two options are possible I guess:
|
@sberyozkin Thanks for your time and the info. Post reading up more regarding this particular issue and also the ad docs I have more clarity regarding the specifics of why azure ad bearer token may not be verifiable by most oidc clients and why one should avoid trying to verify them. We are currently planning to verify the azure ad idtoken instead of azure ad bearertoken for our service. The following content can possibly linked or added in the official docs, to help other developers the specifics of integrating azure ad with their quarkus applications. https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-tokens
So according to the docs with respect to azure ad one must always validate idtoken only, atleast in this flow. Regarding preprocessing of jws prior preprocessing:
|
Done because quarkusio#32701 was left as `needs-triage`
Hi @sberyozkin, @jainhitesh9998, thanks for your discussion and investigations. I've got the same problem and debugged the section, too. I would very much appreciate if a custom jwsCustomizer could be injected, or skip verification by configuration completly. |
@ehora This issue is one of the priority issues, unfortunately I haven't been able to prioritize but it will be dealt with. Skipping the verification as such won't be possible as the bearer token must be verified but we'll have options for verifying such JWT bearer tokens which can't be verified in one of the typical ways. |
@jainhitesh9998 @ehora I'd appreciate some help with creating a test token and test JWK for me to experiment or explain where exactly in the Microsoft Identity space I can register a test application, etc. Unfortunately an Azure token and JWK pair I have is not valid. |
@sberyozkin I'll try once replicating the issue with an azure ad tenant from my personal account this weekend. I'll post any findings here. |
Sounds good @jainhitesh9998, thanks |
@jainhitesh9998 FYI, #33319. Unfortunately, |
@sberyozkin
well-known uri: https://login.microsoftonline.com/e7861267-92c5-4a03-bdb2-2d3e491e7831/v2.0/.well-known/openid-configuration Microsoft docs reg their token format and usage [https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-tokens] |
Thanks @jainhitesh9998 I'll have a look |
@jainhitesh9998 I think I made it work with this customizer The Azure doc you linked to describes the general process, it does not touch on the hack which is required to get the Azure bearer token verified :-) - it is only thanks to @pmlopes that I'm aware of it. However the test is still not passing because the token has already expired - can you please update tenant to have a very long expiry time so that we can keep running tests against the test token ? The other plan - where I'll need your help to verify the PR solves the problem - with that PR copy that customizer from the test code and register it as an Having said that, may be creating a token which will expire in 10 years would be best :-) |
Hi @sberyozkin
scopes: openid profile email |
I'll try to test it in a day or two. |
@jainhitesh9998 I missed that last token's expiry time by 30 mins :-). But then I figured out I could use a lifetime grace property which I set to |
Describe the bug
I'm trying to add token verification in my application using quarkus-oidc library.
The default setup works fine when i use keycloak and i'm able to verify the token.
When i configure azure ad with confidential client, the token signature verification fails locally.
The workflow is as follows
Mobile app -> logins performed using microsoft authentication -> token is passed to gateway with requests -> my service uses the user bearer token forwarded by a chain of services. the usecase requires me to validate the token.
since there is no introspection endpoint, I have tried to verify it using user-info endpoint, but I'm currently unable to proceed from the jws validation point.
I've tried both auto config and manual config, with v2.0 and v1.0 endpoints of azure ad.
Expected behavior
The token should be validated and requests should get processed
Actual behavior
2023-04-18 00:21:38,327 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Starting creating SecurityIdentity
2023-04-18 00:21:38,328 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Requesting UserInfo
2023-04-18 00:21:38,328 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Get UserInfo on: https://graph.microsoft.com/oidc/userinfo auth: Bearer token-removed
2023-04-18 00:21:39,866 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Request succeeded: {"sub":"sub","name":"name .","picture":"https://graph.microsoft.com/v1.0/me/photo/$value","email":"email_id"}
2023-04-18 00:21:39,881 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Verifying the JWT token with the local JWK keys
2023-04-18 00:21:39,922 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-2) Verification of the token issued to client client_id has failed: Invalid JWS Signature: JsonWebSignature{"typ":"JWT","nonce":"8jqDc4OFi81SoVsJKFEPJEjF7U-rYHy6LTnElIdP9kw","alg":"RS256","x5t":"-KI3Q9nNR7bRofxmeZoXqbHZGew","kid":"-KI3Q9nNR7bRofxmeZoXqbHZGew"}-> token_removed
2023-04-18 00:21:39,922 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Token verification has failed: JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"typ":"JWT","nonce":"8jqDc4OFi81SoVsJKFEPJEjF7U-rYHy6LTnElIdP9kw","alg":"RS256","x5t":"-KI3Q9nNR7bRofxmeZoXqbHZGew","kid":"-KI3Q9nNR7bRofxmeZoXqbHZGew"}->token-removed]
How to Reproduce?
create azure ad confidential credentials (client id and secret) for service
use quarkus-oidc plugin to configure it as following
oidc:
application-type: service
authentication:
scopes: email profile
user-info-required: true
verify-access-token: false
authorization-path: https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize
token-path: https://login.microsoftonline.com/tenant/oauth2/v2.0/token
jwks-path: https://login.microsoftonline.com/tenant/discovery/v2.0/keys
auth-server-url: https://login.microsoftonline.com/tenant/v2.0
enabled: true
discovery-enabled: false
user-info-path: https://graph.microsoft.com/oidc/userinfo
client-id: client_id
credentials:
secret: client_secret
token:
allow-opaque-token-introspection: false
lifespan-grace: 3
allow-jwt-introspection: false
verify-access-token-with-user-info: true
Output of
uname -a
orver
Darwin BLRKEC122910LT 21.6.0 Darwin Kernel Version 21.6.0: Mon Dec 19 20:43:09 PST 2022; root:xnu-8020.240.18~2/RELEASE_ARM64_T6000 arm64
Output of
java -version
openjdk 17.0.4.1 2022-08-12 LTS
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.16.2.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.6
Additional information
I have tried referring to the following issues and issues linked to them.
The text was updated successfully, but these errors were encountered: