Validating with Azure ad token

[sdfarrelliii]

I am attempting to validate an Azure ad token with your package. It is able to parse the token but it fails to validate the signature. I have used several key URLs such as

https://login.microsoftonline.com/common/discovery/v2.0/keys
https://login.microsoftonline.com/{tenantid}/discovery/v2.0/keys
https://login.microsoftonline.com/{tenantid}/discovery/keys
https://login.microsoftonline.com/common/discovery/keys
https://login.microsoftonline.com/{tenantid}/discovery/v2.0/keys?appid={appid}
https://login.microsoftonline.com/{tenantid}/discovery/keys?appid={appid}

My parsing code is here:
`jwksURL := "https://login.microsoftonline.com/common/discovery/v2.0/keys"

jwks, err := keyfunc.Get(jwksURL, keyfunc.Options{})
if err != nil {
	log.Fatalf("Failed to get the JWKS from the given URL.\nError: %s", err)
}

// Parse the JWT.
token, err := jwt.ParseWithClaims(bearerTokenStr, claims, jwks.Keyfunc)

if err != nil || !token.Valid {
return nil, errors.New("error validating token")
}
return claims, nil
`
Is there an issue with parsing Azure tokens, as I have read that the go-oidc project has seem some issues.

I can send you my token if you need it

Thanks

[MicahParks]

I would like to see a token, if you're able to provide one that is expired and does not contain any personal information or other sensitive data.

[MicahParks]

It seems the original issue text's code wasn't formatted properly, but I get the idea of the code.

Could you provide more information about the error that's being returned and on which line? The error's full text and Go type would be best. An example of a Go type would be keyfunc.ErrKIDNotFound. You could find this by using a debugger. The error text could be gathered by printing the error as a string.

[MicahParks]

I'm seeing a crypto/rsa: verification error, which is concerning to me. But I haven't evaluated the full scope of what that could mean, yet.

[MicahParks]

Could you link to where you read this?

I have read that the go-oidc project has seem some issues.

[sdfarrelliii]

Yes my error is "crypto/rsa: verification error" inside the parser file

I have seen a large ticket on oidc here coreos/go-oidc#344
I think it is related but unsuure.

[MicahParks]

Currently, my best guess is that the key with the kid (key ID) that signed the JWT you've provided has been rotated since it was created, causing this RSA verification error. I see the provided JWT was created last week. When keys are rotated, I'm not sure if they change their kid or not. I would hope they do, but don't know if that is covered by any specification.

If this was also happening last, week, you may have experienced a different error at the time, but recreating that error would require a JWT signed with the newer key, meaning a JWT that was created today would need to be provided.

The issue linked for coreos/go-oidc doesn't seem to be related to their JWK Set directly, it seems to be more of a discussion about Microsoft's implementation of OpenID Connect (OIDC).

If you are developing an application that uses OIDC, I would suggest using the coreos/go-oidc or other relevant higher-level package as that is a complex protocol.

As far as what you can do today, creating a new JWT now, then trying to parse & validate it would be the next step. That could show us if they key was rotated, but kept the same kid.

[sdfarrelliii]

I just refreshed and the kid in my new token is 2ZQpJ3UpbjAYXYGaXEJl8lV0TOI

I am getting the token by having the user log in through the front end and then querying MS for an access token. That token is then appended to the header for my API calls. The new token I just got has an expiry of Aug 08 2022 11:42:38 GMT-0230, seems the token is good for about 5 minutes, but it still returns the same error

[sdfarrelliii]

I found the issue. It seems I was sending the access token to my API and that was failing, however I changed my front end so it sends the ID token instead and that returns as valid.
For keys I ended up using this url
https://login.microsoftonline.com/{tenantid}/discovery/keys?appid={appid}

This can be closed.
Thank you.

[MicahParks]

Wonderful. I'm glad you were able to resolve it. Hopefully next time someone has the same question, they'll find this. 🙂

[benc-uk]

I found this issue and was hitting the same, the answer is not to use the ID token, you shouldn't use the ID token as a bearer token when calling your API, you should only use the access token.

The root of the problem is not adding a scope to the app registration in Azure AD, and requesting a token using that scope. See the docs here https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis

Without a custom scope, the audience of the access token will NOT be your application ID, instead it will be set to 00000003-0000-0000-c000-000000000000 which is the GUID of the Microsoft Graph API and not your own app