Apache Nifi - OpenID Connect - Unable to validate token - azure

I am using OpenID connect authorization provider with Apache Nifi. The authorization is provided by Azure Active Directory.
The implicit grant flow is working fine and I am able to login to the Nifi UI.
However, when I am generating a toke using client credentials flow through Azure AD and using it in Nifi. I am getting the following error :-
Unable to validate the access token.
Upon inquiring further in the Nifi logs. The complete error log is this :-
2020-03-23 11:33:07,408 ERROR [NiFi Web Server-30] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: The default resolveSigningKey(JwsHeader, Claims) implementation cannot be used for asymmetric key algorithms (RSA, Elliptic Curve). Override the resolveSigningKey(JwsHeader, Claims) method instead and return a Key instance appropriate for the RS256 algorithm.
2020-03-23 11:33:07,408 WARN [NiFi Web Server-30] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
From what I understand, RS256 signed tokens are not supported by Apache Nifi or am I doing something wrong ?
Here is the token that is working after implicit flow.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJhdWQiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJraWQiOjIsImV4cCI6MTU4NDk5MDM1MywiaWF0IjoxNTg0OTg2NzU0fQ.j-n7HbniajEItWUMNWwoD9Ds17focVPD1Bng23KCCF8
Here is the token generated using client credentials flow that is not working :-
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSIsImtpZCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSJ9.eyJhdWQiOiJhcGk6Ly9uaWZpIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3LyIsImlhdCI6MTU4NDc2NTE5NywibmJmIjoxNTg0NzY1MTk3LCJleHAiOjE1ODQ3NjkwOTcsImFpbyI6IjQyTmdZSGltZnRkQVBuQ24rWk5YbnRHUmo1VXZBZ0E9IiwiYXBwaWQiOiI3N2NmMmYxZC04MTlmLTQ0NDMtYjI1NS0wZjcyYmQyMjA1OTUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTcvIiwib2lkIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3Iiwicm9sZXMiOlsiQ29uc3VtZXIiXSwic3ViIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3IiwidGlkIjoiNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3IiwidXRpIjoiZ290bWYyYm5QVWUyYzlzWFhyUURBQSIsInZlciI6IjEuMCJ9.GOVOxmNPT3p8aa8pRlcssfq-R4beflrG343BQM-MAtqHEIwAyHfDX0K3BmV5-SVSnNlt8BKBXicq-IgtiHtdo4HLWAEu7FGH2udH-SJwMbk4_kmH8RaE-zps_ZUjt_L04dZpwK5e-VfRmBkIFKh-KkxvXVabyvLfgJZCwPq4_d_mP0PK4Jmx0xibysYMIbyw0Le883-2GCXVACLZfxQAwblaZiS1LXe7cBkyp508Ij_GZCs4sTwZ7_p6uydx0MqdFUtQVyJOO5pCRo0fDLmKWfAme8uqz36gOa9g6chpALCQfbSBMsZbZxPT9eRSFCZaezuayuh03wFipO_tvzAyEA
And this is the openid discovery url :-
https://login.microsoftonline.com/5f5e974f-8c71-4657-a953-a83a2334ade7/v2.0/.well-known/openid-configuration

Related

Azure AD B2C with OpenID Connect getting error AADB2C90238: The provided token does not contain a valid issuer

I added and configured an OpenID Connect Identity Provider.
I set the return URL in the provider correctly.
I'm using the "Sign up and Sign in" user flow -- not a custom policy.
Running through the user flow, I ultimately get redirected to my application .../MicrosoftIdentity/Account/Error (or if I set return url to jwt.ms, I get the same error) with the page indicating the error
AADB2C90238: The provided token does not contain a valid issuer
How can I even see the issuer in the token? (It's all handled inside AD B2C service).
I can see what's listed in the provider's .../.well-known/openid-configuration endpoint. I guess that's what's not matching in the token. I've seen suggestions of using Application Insights Logs to view the token -- but, apparently, that can only be done with custom policies.
Is there another way to tell AD B2C not to validate the issuer? Or is another way to handle this issue?
I tried to reproduce the same in my environment.
Open Id configuration is like below:
Where the metadata url is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Authorization request looks like below:
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=xxxxx5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
I received the same error :
With redirect uri: https://jwt.ms
Error: invalid_request
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
With redirect uri: https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/authresp
So here the redirect Uris are correct and need to correct the metadata url :
Created an OpenId provider with meta data url having tenantId instead of organizations .
https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
Run the user flow with this Identity provider
Could login successfully and get the access token with endpoint
Note: make sure it has the policy included:
I have p=B2C_1_newSignupSignin
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=1xxxxe2a5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Here the issuer is of V2 endpoint "iss": "https://kavyasarabojub2c.b2clogin.com/<tenantId>/v2.0/"
Reference : Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
Edit:

Unable to set client claims when acquiring confidential client application token

I am attempting to use the MSAL python library to call another custom api in Azure(Exposed through AppRegistration with an API scope exposed).
I am writing a daemon application that will make the request.
Following Azure documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration?tabs=python
The last example on this Azure docs suggests you can add assertions about custom claims such as client_ip that would be returned in the token.
Similarly, I would like the preferred_username claim to be set to Test as an example:
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential={"thumbprint": config["thumbprint"], "private_key": open(
config['private_key_file']).read()},
client_claims={"preferred_username": "Test"}
)
However, When I acquire the token using the following code, the preferred_username claim is not within the Token.
result = app.acquire_token_for_client(scopes=config["scope"])
Within the app registration for the daemon app I have added preferred_username as an optional claim (for access tokens).
I am not sure what is wrong with my approach or if I have misinterpreted the intent of client_claims?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and configured custom preferred_username claim:
I generated the token via Postman by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
Optional claims are not included in the token like below:
Note that: Getting optional claim is only possible with Authorization code flow, ROPC flow, Implicit flow. Currently, Client Credentials flow does not support adding any additional custom claims.
Client Credentials flow fetch the token in the application's context and won't have any user-related claims like preferred_username, given_name or email, etc. So, you have to generate the token in the user's context to get the claims.
Alternatively, I generated the Access Token using the endpoint like below:
https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=redirecturi&scope=user.read&response_mode=fragment&state=12345&nonce=678910
Optional claims are included in the token like below:
Reference:
Client assertions (MSAL) - Microsoft Entra | Microsoft Learn

WS-Security policy and security token, Error in obtaining token from WSO2

I'm developing a WSO2 API to invoke a specific service protected by SAML token. For the security, this is a two-step authentication process. First the service consumer (me) has to authenticate to the
SecurityTokenService using X.509 direct authentication. The STS issues a signed SAML token claiming the consumers identity. In a second request the service consumer
calls the business service and includes the received SAML token and a timestamp within the wsse:Security header.
So, I need to access SAML-secured service via WSO2 ESB.
For the first part, I successfully got the token. For the 2nd request I included this process of generating a token (as a Issuer) to a policy:
https://pastebin.com/jgUDzDT6
But my code for the second part doesn't work in ESB, it returns ErrorInObtainingToken.
And I don't understand how to send already received token in a proper way. Could you please help me?
I used the policy file provided by the service, compared it to the one generated automatically in WSO2 Integration Studio, added and deleted lines, the result is always the same:
[PassThroughMessageProcessor-126] ERROR {org.apache.rahas.client.STSClient} - errorInObtainingToken
Caused by: org.apache.rahas.TrustException: Error in obtaining token from : "http://localhost:8280/.../token"
[-1234] [] [PassThroughMessageProcessor-130] ERROR {org.apache.axis2.engine.AxisEngine} - Message Receiver not found for AxisOperation: requestSecurityToken
org.apache.axis2.AxisFault: Message Receiver not found for AxisOperation: requestSecurityToken

Using Quarkus OpenId Connect and Azure b2c

I'm building a backend-service that provides an API using Quarkus and I need to validate the incoming requests.
By default, quarkus uses keycload, but I want to validate with azure b2c.
At the moment I have the following configs:
quarkus.oidc.auth-server-url=https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}
quarkus.oidc.application.application-type=service
quarkus.http.auth.permission.authenticated.paths=/hello/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.log.category."io.quarkus.oidc".level= DEBUG
And as an example:
#Path("/hello")
public class GreetingResource {
#GET
#Produces(MediaType.TEXT_PLAIN)
#RolesAllowed("test")
public String hello() {
return "Hello RESTEasy";
}
But Quarkus keeps throwing the same error:
OIDC server is not available at the 'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}'
Am I doing something wrong?
Thanks in advance!
Policy name for Azure AD B2C, format is like
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
(or)
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-id> /<policy-name>/oauth2/v2.0/authorize
The code in your Azure AD B2C-enabled applications and APIs may refer
to login.microsoftonline.com in several places. For example, your code
might have references to user flows and token endpoints. Update the
following to instead reference your-tenant-name.b2clogin.com:
Authorization endpoint
Token endpoint
Token issuer
Please do check this MS docs for more information on the same.
2.
OIDC service application needs to know OpenId Connect provider’s token,
By default they are discovered by adding a /.well-known/openid-configuration path to the configured quarkus.oidc.auth-server-url.
Ex: https://{tenant-name}.b2clogin.com/{tenant-id}/.well-known/openid-configuration?p={policy-name}
By default, the iss claim value is compared to the issuer property which may have been discovered in the well-known provider configuration. But if quarkus.oidc.token.issuer property is set then the iss claim value is compared to it instead.
References:
quarkus/issues
security-openid-connect

Azure AD B2C Authentication using root and client certificate

I have a client API which implements MSAL to fetch access token from Azure AD B2C. This API authenticates with AD B2C tenant using certificate and not secret. The issue is when I try to authenticate using root certificate which is uploaded in AD B2C and client certificate which is pass from the client API it fails with an exception.-
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'FE5D9FEF5D0D528B8ED641727E903E50953D44CE', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'f3bfc1b2-f1b2-4552-9145-7019c8683a41'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/f3bfc1b2-f1b2-4552-9145-7019c8683a41']
Trace ID: 59cf24e3-96bb-48ca-8d4b-f8cf0e5d0e00
Correlation ID: 496261ed-31c3-46c1-9fdb-a59c966ddf3d
Timestamp: 2020-12-28 08:16:12Z
As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.

Resources