Wow, perfect timing. I was about to ask if the discovery URL is the only URL that needs to be allowed thru our firewall because fudging out the one in my cas.properties did not seem to make a difference. Thanks for pointing out it is hardcoded and based on tenant id. It explains why it's working on my localhost but not in our DMZ.
I'm not sure why your query param is "appid". Mine is "client_name". I also use the following: cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER as I read in Azure AD config that it does not like query params in the redirect URL. I have also had to comment out these 3 lines and Azure was returning the wrong token and turns out default settings is enough for me. Maybe you are trying to parse the wrong token (user token instead of authorization token). Also note the scope I use. #cas.authn.pac4j.oidc[0].azure.response-mode=form_post #cas.authn.pac4j.oidc[0].azure.response-type=id_token #cas.authn.pac4j.oidc[0].azure.response-type=code cas.authn.pac4j.oidc[0].azure.scope=openid profile email On Monday, October 23, 2023 at 7:45:31 AM UTC-5 Catalin wrote: > Hi, > > I'm trying to delegate auth to Azure AD in CAS 6.6.13. > It seems to delegate the auth to azure, the login is done but afterwards > it fails when trying to decode the returned JWT > > here's the error: > > : [DelegatedClientAuthenticationHandler]: > [org.pac4j.core.exception.TechnicalException: > com.nimbusds.jose.proc.BadJOSEException:* Signed JWT rejected: Another > algorithm expected, or no matching key(s) found / > com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another > algorithm expected, or no matching key(s) found]* > > and this happens because the sign keys are not matching, so in azure there > are some commons keys and there seems to be some client specific keys. > In the case of client specific sign keys, the discovery url should look > like this: > > https://login.microsoftonline.com/ > <tenantID>/.well-known/openid-configuration?appid=<clientID> > > as you can see the appid paremeter at the end, here's some azure > explanation why the keys are specific for app: > https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad > > I tried to add the discovery-url obviously from cas.properties, but from > what have debugged the value is hardcoded in: > > org.pac4j.oidc.config.AzureAdOidcConfiguration > > code snippet below: > @Override > public String getDiscoveryURI() { > return "https://login.microsoftonline.com/"; + tenant + > "/.well-known/openid-configuration"; > } > > I also checked the altest pac4j sources, and the code is similar > > here the cas properties that I added in order to enable this delegation > cas.authn.pac4j.oidc[0].azure.tenant=tenantID > cas.authn.pac4j.oidc[0].azure.id=clientID > cas.authn.pac4j.oidc[0].azure.secret=secret > cas.authn.pac4j.oidc[0].azure.client-name=Azure > cas.authn.pac4j.oidc[0].azure.display-name=Azure Login > cas.authn.pac4j.oidc[0].azure.principal-attribute-id=name > cas.authn.pac4j.oidc[0].azure.callback-url= > http://localhost:81/cas/login?client_name=Azure > cas.authn.pac4j.oidc[0].azure.discovery-uri= > https://login.microsoftonline.com/tenantID/.well-known/openid-configuration?appid=clientID > > So is this a limitation in pac4j? is there any easy way on how to override > that discovery URL? I was thinking to try something with byte buddy > > Any suggestions appreciated > > thanks > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b9c090a-3cda-4b3c-ba4d-b864894e2e8en%40apereo.org.
