I suppose is because there are specific claims and I can confirm that check the docs here: https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad
does not matter in the end what jwt access or id since it fails to validate them Azure works fine with the above configuration (with the discovery url with appid) if used with spring boot oauth2 resource server or client. I did that and it fails with the same error that is fails to validate the token due to the signatures not matching, so when I tried to with CAS/Azure the error was knew to me since I tried it first with spring boot On Wednesday, October 25, 2023 at 3:18:42 AM UTC+3 Pablo Vidaurri wrote: > Wow, perfect timing. I was about to ask if the discovery URL is the only > URL that needs to be allowed thru our firewall because fudging out the one > in my cas.properties did not seem to make a difference. Thanks for pointing > out it is hardcoded and based on tenant id. It explains why it's working on > my localhost but not in our DMZ. > > I'm not sure why your query param is "appid". Mine is "client_name". I > also use the following: > cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER > as I read in Azure AD config that it does not like query params in the > redirect URL. > > I have also had to comment out these 3 lines and Azure was returning the > wrong token and turns out default settings is enough for me. Maybe you are > trying to parse the wrong token (user token instead of authorization > token). Also note the scope I use. > #cas.authn.pac4j.oidc[0].azure.response-mode=form_post > #cas.authn.pac4j.oidc[0].azure.response-type=id_token > #cas.authn.pac4j.oidc[0].azure.response-type=code > cas.authn.pac4j.oidc[0].azure.scope=openid profile email > > On Monday, October 23, 2023 at 7:45:31 AM UTC-5 Catalin wrote: > >> Hi, >> >> I'm trying to delegate auth to Azure AD in CAS 6.6.13. >> It seems to delegate the auth to azure, the login is done but afterwards >> it fails when trying to decode the returned JWT >> >> here's the error: >> >> : [DelegatedClientAuthenticationHandler]: >> [org.pac4j.core.exception.TechnicalException: >> com.nimbusds.jose.proc.BadJOSEException:* Signed JWT rejected: Another >> algorithm expected, or no matching key(s) found / >> com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another >> algorithm expected, or no matching key(s) found]* >> >> and this happens because the sign keys are not matching, so in azure >> there are some commons keys and there seems to be some client specific >> keys. >> In the case of client specific sign keys, the discovery url should look >> like this: >> >> https://login.microsoftonline.com/ >> <tenantID>/.well-known/openid-configuration?appid=<clientID> >> >> as you can see the appid paremeter at the end, here's some azure >> explanation why the keys are specific for app: >> https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad >> >> I tried to add the discovery-url obviously from cas.properties, but from >> what have debugged the value is hardcoded in: >> >> org.pac4j.oidc.config.AzureAdOidcConfiguration >> >> code snippet below: >> @Override >> public String getDiscoveryURI() { >> return "https://login.microsoftonline.com/"; + tenant + >> "/.well-known/openid-configuration"; >> } >> >> I also checked the altest pac4j sources, and the code is similar >> >> here the cas properties that I added in order to enable this delegation >> cas.authn.pac4j.oidc[0].azure.tenant=tenantID >> cas.authn.pac4j.oidc[0].azure.id=clientID >> cas.authn.pac4j.oidc[0].azure.secret=secret >> cas.authn.pac4j.oidc[0].azure.client-name=Azure >> cas.authn.pac4j.oidc[0].azure.display-name=Azure Login >> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=name >> cas.authn.pac4j.oidc[0].azure.callback-url= >> http://localhost:81/cas/login?client_name=Azure >> cas.authn.pac4j.oidc[0].azure.discovery-uri= >> https://login.microsoftonline.com/tenantID/.well-known/openid-configuration?appid=clientID >> >> So is this a limitation in pac4j? is there any easy way on how to >> override that discovery URL? I was thinking to try something with byte buddy >> >> Any suggestions appreciated >> >> thanks >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/53abb22c-3d40-4e28-b517-afa84eba3324n%40apereo.org.
