Open
Description
Issue:
-
Most of IdPs'
$oidc_jwt_keyfileendpoint works for access token validation. But Azure AD doesn't work as the following message:[info] 87#87: *500 JWT RS validation failed kid:"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI" (SSL: error:04091068:rsa routines:int_rsa_verify:bad signature), client: 172.18.0.1, server: nginx.azure.test, request: "GET /v1/api/example HTTP/1.1", host: "nginx.azure.test:15000"- Because, if nonce includes in access token, validating signature with JWT.io or JWT SecurityToken won't success.
-
To solve the
#1, we can add"[CLIENT_ID]/.default"in authorization endpoint of Azure AD. -
However, the access token doesn't work for
userinfoendpoint as a Bearer in the header of API request although the validation works.{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError": {"date":"2022-10-15T07:13:25","request-id":"xxxx-xxx-xxx-xxx-xxxx","client-request-id":"xxxx-xxx-xxx-xxx-xxxx"}}} -
To successfully get 200 response from the
/userinfoendpoint, we either can remove the scope in the authorization endpoint or find to solve invalid audience.
References:
- Acquired tokens have invalid signature AzureAD/microsoft-authentication-library-for-js#521 (comment)
- https://stackoverflow.com/questions/45317152/invalid-signature-while-validating-azure-ad-access-token-but-id-token-works
- https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo
- Cannot validate access token, maybe because of the nonce AzureAD/microsoft-authentication-library-for-js#815
- https://authguidance.com/azure-active-directory-setup/
- https://authguidance.com/azure-ad-troubleshooting/
Metadata
Metadata
Assignees
Labels
No labels