Automating authentication in scripts #1240

alexhfmnn · 2024-08-02T14:00:44Z

alexhfmnn
Aug 2, 2024

Hi OpenIDC contributor and community,
I have a reverse proxy set up, forwarding all requests coming to my.reverse-proxy.de/ to a Tomcat at http://mybackend.local.domain:8080/ within my local network. Additionally, I want to use mod_auth_openidc to add authentication to the Tomcat using Azure AD.
Now I have to send automated requests to this Tomcat, for example with Bash. To do this, I successfully receive an AuthToken directly via the Azure token endpoint using client credentials grant and then want to use this to access the Tomcat in the backend via my reverse proxy. Unfortunately, I always get a 401 status code back saying that my JWT token cannot be validated.

virtual host:

<VirtualHost *:443>
        ServerName my.reverse-proxy.de
        ServerAdmin [email protected]

        ErrorLog ${APACHE_LOG_DIR}/my.reverse-proxy.de_error.log
        CustomLog ${APACHE_LOG_DIR}/my.reverse-proxy.de_access.log combined
        LogLevel auth_openidc:debug

        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

        SSLCertificateFile /etc/ssl/certs/wildcard_reverse-proxy.pem
        SSLCertificateKeyFile /etc/ssl/private/wildcard_reverse-proxy.key

        OIDCProviderMetadataURL https://login.microsoftonline.com/XXXXX/v2.0/.well-known/openid-configuration
        OIDCOAuthVerifyJwksUri https://login.microsoftonline.com/XXXXX/discovery/v2.0/keys
        OIDCClientID YYYYY
        OIDCClientSecret ZZZZZ

        # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
        # This can be adjusted to anything, but make sure the app in Entra matches! It can be absolute or relative (as here)
        OIDCRedirectURI /auth/

        # Change this to something else
        OIDCCryptoPassphrase somethingsupersecret

        OIDCScope ".default"

        # This is the endpoint for auth, so make sure this matches the OIDCRedirectURI above.
        <Location /auth/>
          AuthType openid-connect
          Require valid-user
        </Location>

        # You can protect any other location by adding these as needed.
        <Location />
          AuthType auth-openidc
          Require claim appid:nf78fw7-4gh3fnfjwc-v8e
          Require claim aud:1234567890
          # Proxy settings
          ProxyPreserveHost On
          ProxyPass http://mybackend.local.domain:8080/
          ProxyPassReverse http://mybackend.local.domain:8080/
        </Location>
</VirtualHost>

script:

#!/bin/bash

USERNAME="myclientid"
PASSWORD="myclientsecret"
TOKEN_URL="https://login.microsoftonline.com/XXXXX/oauth2/v2.0/token"
SCOPE="https://graph.microsoft.com/.default"
TOMCAT_URL="https://my.reverse-proxy.de/path/to/tomcat/endpoint"

TOKEN=$(curl -s -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data "scope=${SCOPE}" \
  --data-urlencode "client_id=${USERNAME}" \
  --data-urlencode "client_secret=${PASSWORD}" \
  --data-urlencode "grant_type=client_credentials" \
  ${TOKEN_URL} | jq -r '.access_token')

echo -e "$TOKEN\n\n"

curl -X POST \
  -H "Authorization: Bearer ${TOKEN}" \
  ${TOMCAT_URL}

response:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0exxxxxxxxxxxxxxxxxxxx"}


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

log:

[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/handle/authz.c(533): [client 1.2.3.4:5928] oidc_authz_24_checker: enter: (r->user=(null)) require_args="appid:nf78fw7-4gh3fnfjwc-v8e"
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/handle/authz.c(533): [client 1.2.3.4:5928] oidc_authz_24_checker: enter: (r->user=(null)) require_args="aud:1234567890"
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/mod_auth_openidc.c(1615): [client 1.2.3.4:5928] oidc_check_user_id: incoming request: "/path/to/tomcat/endpoint?(null)", ap_is_initial_req(r)=1
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(183): [client 1.2.3.4:5928] oidc_oauth_get_bearer_token: accept_token_in=0
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/http.c(123): [client 1.2.3.4:5928] oidc_http_hdr_in_get: Authorization=Bearer eyJ0exxxxxxxxxxxxxxxxxxxx
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(195): [client 1.2.3.4:5928] oidc_oauth_get_bearer_token: authorization header found
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(270): [client 1.2.3.4:5928] oidc_oauth_get_bearer_token: bearer token: eyJ0exxxxxxxxxxxxxxxxxxxx
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/http.c(123): [client 1.2.3.4:5928] oidc_http_hdr_in_get: Host=my.reverse-proxy.de
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/http.c(123): [client 1.2.3.4:5928] oidc_http_hdr_in_get: Host=my.reverse-proxy.de
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/util.c(792): [client 1.2.3.4:5928] oidc_get_absolute_url: determined absolute url: https://my.reverse-proxy.de/auth/
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/util.c(835): [client 1.2.3.4:5928] oidc_util_request_matches_url: comparing "/path/to/tomcat/endpoint"=="/auth/"
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(533): [client 1.2.3.4:5928] oidc_oauth_validate_jwt_access_token: enter: JWT access_token header={"typ":"JWT","nonce":"u426sjIDxbmmaf0CU","alg":"RS256","x5t":"5FtABcrobo4E7lBaVVGmgdJKQ2c","kid":"5FtABcrobo4E7lBaVVGmgdJKQ2c"}
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/util.c(1771): [client 1.2.3.4:5928] oidc_util_create_symmetric_key: key_len=40
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(552): [client 1.2.3.4:5928] oidc_oauth_validate_jwt_access_token: successfully parsed JWT with header: {"typ":"JWT","nonce":"u426sjIDxbmmaf0CU","alg":"RS256","x5t":"5FtABcrobo4E7lBaVVGmgdJKQ2c","kid":"5FtABcrobo4E7lBaVVGmgdJKQ2c"}
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/proto.c(659): [client 1.2.3.4:5928] oidc_proto_validate_iat: slack for JWT set < 0, do not enforce boundary check
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/oauth.c(563): [client 1.2.3.4:5928] oidc_oauth_validate_jwt_access_token: verify JWT against 0 statically configured public keys and 0 shared keys, with JWKs URI set to https://login.microsoftonline.com/XXXXX/discovery/v2.0/keys
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/metadata.c(646): [client 1.2.3.4:5928] oidc_metadata_jwks_get: enter, jwks_uri=https://login.microsoftonline.com/XXXXX/discovery/v2.0/keys, refresh=0
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/cache/common.c(291): [client 1.2.3.4:5928] oidc_cache_get: enter: https://login.microsoftonline.com/XXXXX/discovery/v2.0/keys (section=j, decrypt=0, type=shm)
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/cache/common.c(336): [client 1.2.3.4:5928] oidc_cache_get: cache hit: return 7902 bytes from shm cache backend for key https://login.microsoftonline.com/XXXXX/discovery/v2.0/keys
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/proto.c(789): [client 1.2.3.4:5928] oidc_proto_get_key_from_jwks: search for kid "5FtABcrobo4E7lBaVVGmgdJKQ2c" or thumbprint x5t "5FtABcrobo4E7lBaVVGmgdJKQ2c"
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/proto.c(843): [client 1.2.3.4:5928] oidc_proto_get_key_from_jwks: found matching kid: "5FtABcrobo4E7lBaVVGmgdJKQ2c" for jwk: {"use":"sig","kty":"RSA","kid":"5FtABcrobo4E7lBaVVGmgdJKQ2c","e":"AQAB","n":"04abc-.........-atQ"}
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/proto.c(909): [client 1.2.3.4:5928] oidc_proto_get_keys_from_jwks_uri: returning 1 key(s) obtained from the (possibly cached) JWKs URI
[auth_openidc:error] [pid 2297802:tid 140017712215616] [client 1.2.3.4:5928] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:1182: oidc_jwt_verify]: cjose_jws_verify failed: error:02000068:rsa routines::bad signature [file: jws.c, function: _cjose_jws_verify_sig_rs, line: 953]
[auth_openidc:error] [pid 2297802:tid 140017712215616] [client 1.2.3.4:5928] oidc_oauth_validate_jwt_access_token: JWT access token signature could not be validated, aborting
[auth_openidc:debug] [pid 2297802:tid 140017712215616] src/http.c(195): [client 1.2.3.4:5928] oidc_http_hdr_err_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated"

cureton · 2024-08-30T12:02:52Z

cureton
Aug 30, 2024

I could be misguided here but I think the access token provided by azure is for your application to make requests back to Microsoft graph api and not to access you application api.

if you put your access token into jwt.io I am pretty sure the signature will not be correct. Only MS can validate the access token it provides.

As for answers to do what you are trying to do…I.e. access you api via curl I have the same question.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automating authentication in scripts #1240

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Automating authentication in scripts #1240

alexhfmnn Aug 2, 2024

Replies: 1 comment

cureton Aug 30, 2024

alexhfmnn
Aug 2, 2024

cureton
Aug 30, 2024