We are having an issue trying to read outlook emails.
Currently we are using the following Apache camel endpoint to login to Outlook 365 emails:
imaps://Outlook.office365.com:993?password=XXXX&username=YYYY
We upgraded to apache Camel 3.17 to have access to azure vault. We began our testing with tenantId and clientId.
We get the following error.
Caused by: java.lang.IllegalArgumentException: Azure Secret Client or client Id, client secret and tenant Id must be specified at org.apache.camel.component.azure.key.vault.KeyVaultComponent.createEndpoint(KeyVaultComponent.java:66) at org.apache.camel.support.DefaultComponent.createEndpoint(DefaultComponent.java:171) at org.apache.camel.impl.engine.AbstractCamelContext.doGetEndpoint(AbstractCamelContext.java:951) ... 97 more
If anyone has set this up successfully, please help with an example of URI parameters
Thank you
Related
Looking for some answer. First time using Azure AD for authentication on ASP.Net Core and we have registered the app on azure for both my local and Dev-Server. Its working running on my laptop but after deploying to Dev server and changing the Client ID Value, it keeps giving me this error
*SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'.
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()*
Thank you in advance.
Danny
Thank you #User 45323833 posting your suggestion as an answer to help other community members.
" Solution from Microsoft: This problem caused due to your app registration:
May you have defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
If a scope will be set from Graph API, the token can just be validated from Graph!
You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
To solve the problem please follow the below steps :
To protect our own custom API, you have to register an application to represent it on Azure AD and obtain an access_token/id_token for it.
Section - Expose an API: Create a new scope: name = access_as_user
Section - API permissions: Add a new permission for your registered application and your scope access_as_user
Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfully validated."
For more information please refer this GitHub issue IDX10511: Signature validation failed. Keys tried: & Microsoft Documentation: Azure AD authentication with ASP.Net core web application
I'm building a backend-service that provides an API using Quarkus and I need to validate the incoming requests.
By default, quarkus uses keycload, but I want to validate with azure b2c.
At the moment I have the following configs:
quarkus.oidc.auth-server-url=https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}
quarkus.oidc.application.application-type=service
quarkus.http.auth.permission.authenticated.paths=/hello/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.log.category."io.quarkus.oidc".level= DEBUG
And as an example:
#Path("/hello")
public class GreetingResource {
#GET
#Produces(MediaType.TEXT_PLAIN)
#RolesAllowed("test")
public String hello() {
return "Hello RESTEasy";
}
But Quarkus keeps throwing the same error:
OIDC server is not available at the 'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}'
Am I doing something wrong?
Thanks in advance!
Policy name for Azure AD B2C, format is like
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
(or)
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-id> /<policy-name>/oauth2/v2.0/authorize
The code in your Azure AD B2C-enabled applications and APIs may refer
to login.microsoftonline.com in several places. For example, your code
might have references to user flows and token endpoints. Update the
following to instead reference your-tenant-name.b2clogin.com:
Authorization endpoint
Token endpoint
Token issuer
Please do check this MS docs for more information on the same.
2.
OIDC service application needs to know OpenId Connect provider’s token,
By default they are discovered by adding a /.well-known/openid-configuration path to the configured quarkus.oidc.auth-server-url.
Ex: https://{tenant-name}.b2clogin.com/{tenant-id}/.well-known/openid-configuration?p={policy-name}
By default, the iss claim value is compared to the issuer property which may have been discovered in the well-known provider configuration. But if quarkus.oidc.token.issuer property is set then the iss claim value is compared to it instead.
References:
quarkus/issues
security-openid-connect
I have a client API which implements MSAL to fetch access token from Azure AD B2C. This API authenticates with AD B2C tenant using certificate and not secret. The issue is when I try to authenticate using root certificate which is uploaded in AD B2C and client certificate which is pass from the client API it fails with an exception.-
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'FE5D9FEF5D0D528B8ED641727E903E50953D44CE', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'f3bfc1b2-f1b2-4552-9145-7019c8683a41'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/f3bfc1b2-f1b2-4552-9145-7019c8683a41']
Trace ID: 59cf24e3-96bb-48ca-8d4b-f8cf0e5d0e00
Correlation ID: 496261ed-31c3-46c1-9fdb-a59c966ddf3d
Timestamp: 2020-12-28 08:16:12Z
As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.
I am using OpenID connect authorization provider with Apache Nifi. The authorization is provided by Azure Active Directory.
The implicit grant flow is working fine and I am able to login to the Nifi UI.
However, when I am generating a toke using client credentials flow through Azure AD and using it in Nifi. I am getting the following error :-
Unable to validate the access token.
Upon inquiring further in the Nifi logs. The complete error log is this :-
2020-03-23 11:33:07,408 ERROR [NiFi Web Server-30] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: The default resolveSigningKey(JwsHeader, Claims) implementation cannot be used for asymmetric key algorithms (RSA, Elliptic Curve). Override the resolveSigningKey(JwsHeader, Claims) method instead and return a Key instance appropriate for the RS256 algorithm.
2020-03-23 11:33:07,408 WARN [NiFi Web Server-30] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
From what I understand, RS256 signed tokens are not supported by Apache Nifi or am I doing something wrong ?
Here is the token that is working after implicit flow.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJhdWQiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJraWQiOjIsImV4cCI6MTU4NDk5MDM1MywiaWF0IjoxNTg0OTg2NzU0fQ.j-n7HbniajEItWUMNWwoD9Ds17focVPD1Bng23KCCF8
Here is the token generated using client credentials flow that is not working :-
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSIsImtpZCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSJ9.eyJhdWQiOiJhcGk6Ly9uaWZpIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3LyIsImlhdCI6MTU4NDc2NTE5NywibmJmIjoxNTg0NzY1MTk3LCJleHAiOjE1ODQ3NjkwOTcsImFpbyI6IjQyTmdZSGltZnRkQVBuQ24rWk5YbnRHUmo1VXZBZ0E9IiwiYXBwaWQiOiI3N2NmMmYxZC04MTlmLTQ0NDMtYjI1NS0wZjcyYmQyMjA1OTUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTcvIiwib2lkIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3Iiwicm9sZXMiOlsiQ29uc3VtZXIiXSwic3ViIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3IiwidGlkIjoiNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3IiwidXRpIjoiZ290bWYyYm5QVWUyYzlzWFhyUURBQSIsInZlciI6IjEuMCJ9.GOVOxmNPT3p8aa8pRlcssfq-R4beflrG343BQM-MAtqHEIwAyHfDX0K3BmV5-SVSnNlt8BKBXicq-IgtiHtdo4HLWAEu7FGH2udH-SJwMbk4_kmH8RaE-zps_ZUjt_L04dZpwK5e-VfRmBkIFKh-KkxvXVabyvLfgJZCwPq4_d_mP0PK4Jmx0xibysYMIbyw0Le883-2GCXVACLZfxQAwblaZiS1LXe7cBkyp508Ij_GZCs4sTwZ7_p6uydx0MqdFUtQVyJOO5pCRo0fDLmKWfAme8uqz36gOa9g6chpALCQfbSBMsZbZxPT9eRSFCZaezuayuh03wFipO_tvzAyEA
And this is the openid discovery url :-
https://login.microsoftonline.com/5f5e974f-8c71-4657-a953-a83a2334ade7/v2.0/.well-known/openid-configuration
Setting up a custom policy in Azure AD B2C to connect to an ADFS Identity Provider. This requires a SAML metadata endpoint as specified in the documentation at the link below.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp#configure-an-adfs-relying-party-trust
The error being encountered is:
AADB2C90022: Unable to return metadata for the policy [my-policy] in tenant [my-tenant].onmicrosoft.com.
and is being encountered when I go to the endpoint:
https://login.microsoftonline.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have tried making the request from the b2clogin.com endpoint with the same result as above.
E.g. https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have also tried using my tenantId GUID in place of [my-tenant].onmicrosoft.com which resulted in the exact same result.
E.g. https://login.microsoftonline.com/te/[my-tenant-id]/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
Re-visit the process by which you created the certificate, uploaded it to your 'Policy Keys' and referenced it in your custom policy files.
My scenario was similar, I had the same error and no output via Application Insights / Journey Recorder.
I had tried to avoid using 'makecert.exe' and instead used another SSC generation tool. This simply did not work, I think because the private key was not being incorporated in the certificate file.
This guide has been invaluable, see also this test facility