I have a client API which implements MSAL to fetch access token from Azure AD B2C. This API authenticates with AD B2C tenant using certificate and not secret. The issue is when I try to authenticate using root certificate which is uploaded in AD B2C and client certificate which is pass from the client API it fails with an exception.-
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'FE5D9FEF5D0D528B8ED641727E903E50953D44CE', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'f3bfc1b2-f1b2-4552-9145-7019c8683a41'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/f3bfc1b2-f1b2-4552-9145-7019c8683a41']
Trace ID: 59cf24e3-96bb-48ca-8d4b-f8cf0e5d0e00
Correlation ID: 496261ed-31c3-46c1-9fdb-a59c966ddf3d
Timestamp: 2020-12-28 08:16:12Z
As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.
Related
I added and configured an OpenID Connect Identity Provider.
I set the return URL in the provider correctly.
I'm using the "Sign up and Sign in" user flow -- not a custom policy.
Running through the user flow, I ultimately get redirected to my application .../MicrosoftIdentity/Account/Error (or if I set return url to jwt.ms, I get the same error) with the page indicating the error
AADB2C90238: The provided token does not contain a valid issuer
How can I even see the issuer in the token? (It's all handled inside AD B2C service).
I can see what's listed in the provider's .../.well-known/openid-configuration endpoint. I guess that's what's not matching in the token. I've seen suggestions of using Application Insights Logs to view the token -- but, apparently, that can only be done with custom policies.
Is there another way to tell AD B2C not to validate the issuer? Or is another way to handle this issue?
I tried to reproduce the same in my environment.
Open Id configuration is like below:
Where the metadata url is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Authorization request looks like below:
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=xxxxx5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
I received the same error :
With redirect uri: https://jwt.ms
Error: invalid_request
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
With redirect uri: https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/authresp
So here the redirect Uris are correct and need to correct the metadata url :
Created an OpenId provider with meta data url having tenantId instead of organizations .
https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
Run the user flow with this Identity provider
Could login successfully and get the access token with endpoint
Note: make sure it has the policy included:
I have p=B2C_1_newSignupSignin
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=1xxxxe2a5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Here the issuer is of V2 endpoint "iss": "https://kavyasarabojub2c.b2clogin.com/<tenantId>/v2.0/"
Reference : Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
Edit:
I have successfully configured an external identity provider using Azure AD B2C Custom policy. The authorize endpoint is passed correct acr_values too. As I launch the authorize endpoint, I am taken to the login screen from identity provider. As soon as I enter my credentials and hit 'Login',I expect the authentication response to be redirected to my B2C /auth/resp URL (https://<>.b2clogin.com/<>.onmicrosoft.com/oauth2/authresp), configured with the identity provider.
However, I end up getting an exception as below -
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: ef54294f-2a9d-4e18-bc03-511bcc713cde
Timestamp: 2022-10-10 04:04:09Z
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 42dc0316-16d5-4f5b-9552-6cc4d2f3e233
Timestamp: 2022-10-10 09:38:51Z
I have also tried verifying the client_id and client_secret being used and that seems to be fine. Moreover, logs on the identity provider side mention that the request was successful.
Awaiting quick responses, as this blocks my application completely.
Application Insights details -
Exception Message:An internal error has occurred., CorrelationID:145303ec-b8e8-4fc1-bd5d-6649bd1fb77f
I tried to reproduce the same in my environment:
This error , AADB2C90289: We encountered an error “” connecting to the identity provider. Please try again later. occurred ,
when I haven’t given the clientSecret of the app correctly in the azure ad b2c.
I kept it to generate.
Later I manually changed the policy keys and gave the application client secret in the key value.
In your external Identity provider technical profile, make sure to -provide the clientId of that particular Identity provider
Ex:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!Below replace clientId with the externalIdentity provider App/ClientId "-->
<Item Key="client_id">XXX0000XXX</Item>
....
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.
After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
I called the Azure API below:
https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01
In my app registration in Azure AD, I have given these permission to access the Azure API:
In my Web App Bot -> Settings -> OAuth Connection Settings, I select:
ClientId -> My application client id
ClinetSecret -> My application client secret
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType)
LoginURL -> https://login.microsoftonline.com
TenantId -> common (To allow any user)
ResourceURL -> https://graph.microsoft.com/
Scopes -> I just left blank
Why am I not able to access the Azure API with that token?
Any Help. Thanks
An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.
In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.
Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.
I have configured a backend application (api) and azure apim devportal (client app) in b2c. I have provided access to backend api from client app. I have
used this to configure oauth authentication in azure api management.
I am using authorization code flow. For token validation, I have used inbound policy:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" clock-skew="0">
<openid-config url="https://<domain>/tenantid/v2.0/.well-known/openid-configuration?p=signinsignup_policy" />
<required-claims>
<claim name="aud">
<value><appid for backend app></value>
</claim>
</required-claims>
</validate-jwt>
While trying from apim developer portal
I am getting below error while using the token received:.
JWT Validation Failed: IDX10501: Signature validation failed. Unable to match keys
I have configured backend api application id as resource and user_impersonation as defaultscope. Decoding token I can see same backend appid as aud. I also tried using appid uri as resource but see same error.
Any help is appreciated.
There are a couple of scenarios that can lead to this error.
Did you check below threads
Azure AD B2C error - IDX10501: Signature validation failed
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/issues/18
If above are not helped: I assume that you are using Custom Policies. While creating Signingkey and encryption you must follow the steps which are described at https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom.
If you skip or modify Key Type/ Key Usage while creating TokenSigning
& TokenEncryption keys there is a chance to get that issue.
Below steps I tried while integrating B2C with API Management. And it is working as expected
Created Web API and Integrated B2C (Followed https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-dotnet-webapp-and-webapi/)
Integrated Swagger
Created Azure API Management Service
Added API by using "OpenAPI"
Given OpenApi specification URL as https://xxx.azurewebsites.net/Swagger/docs/v1 and created API
While creating API Chosen valid products that are mapped to existing users to test
Navigated to APIM developer portal and tested
While testing added access_token as Authorize header bearer token and tested.
HTH