Reputation: 5779
OAuth2AuthorizedClient access token have bad aud
I have an angular application packaged with spring boot who act like a bff.
I have another spring boot application for the api rest
When angular app go to home url, connection is done via bff.
@GetMapping(value = { "", "/", "/home" })
public String index(@RegisteredOAuth2AuthorizedClient() OAuth2AuthorizedClient authorizedClient, OAuth2AuthenticationToken token) {
...
//OAuth2AuthenticationToken have idToken in the principal object
log.warn(authorizedClient.getAccessToken().getTokenValue());
//call with grant type, client secret, client id and scope to graphApi
//url [CLIENT_ID of the API app registration]/.default
...
}
In this bff app, i have use
aad.tenant=https://acme.onmicrosoft.com
spring.cloud.azure.active-directory.profile.tenant-id=
spring.cloud.azure.active-directory.credential.client-id=
spring.cloud.azure.active-directory.credential.client-secret=
aad.msGraphEndpointHost=https://graph.microsoft.com/
aad.appScope=https://graph.microsoft.com/
aad.accessTokenUri=https://login.microsoftonline.com/${spring.cloud.azure.active-directory.profile.tenant-id}/oauth2/v2.0/token
spring.cloud.azure.active-directory.enabled=true
spring.cloud.azure.active-directory.authorization-clients.graph.scopes=${aad.msGraphEndpointHost}User.Read.All
spring.cloud.azure.active-directory.redirect-uri-template=
spring.cloud.azure.active-directory.post-logout-redirect-uri=
In my api application, i have theses both properties
spring.cloud.azure.active-directory.credential.client-id=...
spring.cloud.azure.active-directory.app-id-uri=...
So user go to home page, azure popup to enter user password after the bff endpoint is called and OAuth2AuthorizedClient OAuth2AuthenticationToken object are feeded
Bff is used actually only for the security part. Angular call directly the api backend with the token took via graphApi. In the backend i would like to have an info to identify the user
I don't understand why the access token in OAuth2AuthorizedClient object can't be used. Access token of this object have many information about the user.
When i try to use it to call api backend, i get
Vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Invalid signature", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1""
Do i need to specifiy something to use this access token in my api backend (maybe it use wrong algo?
In my api backend in my security class I have
@Configuration
@EnableWebSecurity
@EnableMethodSecurityty
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors(cors -> cors.configurationSource(request -> {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("*"));
configuration.setAllowedHeaders(Arrays.asList("*"));
return configuration;
}))
.csrf().disable().httpBasic().disable().headers().xssProtection().and()
.and().headers().frameOptions().sameOrigin()
.and().authorizeHttpRequests().requestMatchers(HttpMethod.GET, "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", "/actuator/**").permitAll().and()
.apply(AadResourceServerHttpSecurityConfigurer.aadResourceServer())
.and().authorizeHttpRequests().anyRequest().authenticated();
return http.build();
}
}
In Azure ad api permission
Edit
OAuth2AuthorizedClient token have this info
"aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/14a485d4-754c-4912-b891-f9cd98c49032/",
Token took when a call is made to url [CLIENT_ID of the API app registration]/.default
have theses info
"aud": "https://acme.onmicrosoft.com/9a452e9f-a9ba-412e-9efc-213c3bcaac0c", "iss": "https://sts.windows.net/14a485d4-754c-4912-b891-f9cd98c49032/",
So why aud of OAuth2AuthorizedClient is bad?
Upvotes: 0
Views: 281
Answers (1)
Reputation: 1308
The error "An error occurred while attempting to decode the Jwt: Signed JWT rejected: Invalid signature" usually occurs if you are trying to validate the token which is not meant for your application.
The aud as 00000003-0000-0000-c000-000000000000 or https://graph.microsoft.com/ are the tokens issued for Microsoft Graph.
- Microsoft Graph tokens are not meant to be validated as it not meant for application.
- You shouldn't try to validate the Microsoft Graph tokens as they use bit different for signing and you can't use the same methods to validate Graph API tokens.
- And hence when you try to validate the Microsoft Graph token, you will get the error "Invalid signature" like below:
Hence, you must config the spring to validate the token for your aad.appScope not Microsoft Graph.
- To fix this issue, you need to obtain an access token that is intended for your API backend and validate the access token.
- Hence validate the token for
https://acme.onmicrosoft.com/XXX"and you will not get the error.
Reference:
spring security - Verify Signature with Azure AD - Stack Overflow by juunas
Upvotes: 0
Related Questions
- Access Token Scope Issue in Azure AD and Power
- Azure AD v2 - roles not included in Access Token
- How to add aud field to a token generated by Azure AD for v1.0 endpoint?
- EWS modern authentication using oauth2.0 : The remote server returned an error: (401)Unauthorized
- … character (Horizontal Ellipsis) in malformed AAD access token
- Unable to generate access token for microsoft graph online meeting api
- Microsoft Graph API auth error: "Access token validation failure. Invalid audience"
- oAuth 2.0 access token validation node.js
- Invitations API returns 401 Access token validation failure. Invalid audience