Azure Active Directory IdP Bearer error="invalid_token", error_description="JWT token could not be validated"

[bmichaud]

I am running Apache in the official Docker container with mod_auth_openiodc installed and configured. I am trying to validate a token from the client web application, generated by our corporate AD in Azure. The token is seen and parsed by mod_auth_openidc, but is somehow not able to validate the token.

Here is the configuration:
I have tried a few variations here. Including the client secret does not help. Using the tenant ID in the metadata URL does not help either.

<IfModule auth_openidc_module>
    OIDCProviderMetadataURL https://login.microsoftonline.com/common/.well-known/openid-configuration
    #OIDCProviderMetadataURL https://login.microsoftonline.com/${AUTHN_TENANT_ID}/.well-known/openid-configuration
    #OIDCProviderMetadataURL https://sts.windows.net/${AUTHN_TENANT_ID}/.well-known/openid-configuration
    OIDCRedirectURI ${AUTHN_REDIRECT_URI}
    OIDCClientID ${AUTHN_CLIENT_ID}
    OIDCClientSecret ${AUTHN_CLIENT_SECRET}
    #OIDCProviderJwksUri https://login.microsoftonline.com/${AUTHN_TENANT_ID}/discovery/keys?appid=${AUTHN_CLIENT_ID}
    OIDCCryptoPassphrase ${AUTHN_CRYPTO_PASSWORD}
    OIDCRemoteUserClaim upn
    OIDCScope "openid email profile"
    OIDCProviderTokenEndpointAuth bearer_access_token
#    OIDCProviderTokenEndpointAuth client_secret_jwt
#    OIDCTokenBindingPolicy disabled
#    OIDCIDTokenSignedResponseAlg RS256
</IfModule>

...

    ProxyPass "/api"  "balancer://uxapi"
    ProxyPassReverse "/api"  "balancer://uxapi"
    <Proxy balancer://uxapi>
        AuthType auth-openidc
        <If "%{QUERY_STRING} =~ /.*info=json.*/" >
            Require claim aud:${AUTHN_CLIENT_ID}
        </If>
        <Else>
            Require valid-user
        </Else>
        OIDCUnAuthAction 401

...
    </Proxy>

Here is the error log output:

[Wed Mar 30 20:38:57.800426 2022] [authz_core:debug] [pid 9:tid 140588993189632] mod_authz_core.c(815): [client 10.XX.XX.XX:56556] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800449 2022] [authz_core:debug] [pid 9:tid 140588993189632] mod_authz_core.c(815): [client 10.XX.XX.XX:56556] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800465 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/mod_auth_openidc.c(3889): [client 10.XX.XX.XX:56556] oidc_check_user_id: incoming request: "/api/[email protected]", ap_is_initial_req(r)=1, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800521 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(207): [client 10.XX.XX.XX:56556] oidc_oauth_get_bearer_token: accept_token_in=0, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800557 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(2521): [client 10.XX.XX.XX:56556] oidc_util_hdr_in_get: Authorization=Bearer <token-string-here>, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800597 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(221): [client 10.XX.XX.XX:56556] oidc_oauth_get_bearer_token: authorization header found, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800611 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(303): [client 10.XX.XX.XX:56556] oidc_oauth_get_bearer_token: bearer token: <token-string-here>, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800648 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(1388): [client 10.XX.XX.XX:56556] oidc_util_request_matches_url: comparing "/api/users"=="(null)", referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800703 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(585): [client 10.XX.XX.XX:56556] oidc_oauth_validate_jwt_access_token: enter: JWT access_token header={"typ":"JWT","alg":"RS256","kid":"<kid-string-here>"}, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.800730 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(2288): [client 10.XX.XX.XX:56556] oidc_util_create_symmetric_key: key_len=37, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801215 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(606): [client 10.XX.XX.XX:56556] oidc_oauth_validate_jwt_access_token: successfully parsed JWT with header: {"typ":"JWT","alg":"RS256","kid":"<kid-string-here>"}, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801240 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/proto.c(1251): [client 10.XX.XX.XX:56556] oidc_proto_validate_iat: slack for JWT set < 0, do not enforce boundary check, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801245 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(2811): [client 10.XX.XX.XX:56556] oidc_util_json_validate_cnf: enter: policy=optional, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801249 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(2819): [client 10.XX.XX.XX:56556] oidc_util_json_validate_cnf: no "cnf" claim found in the token, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801252 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/oauth.c(619): [client 10.XX.XX.XX:56556] oidc_oauth_validate_jwt_access_token: verify JWT against 0 statically configured public keys and 0 shared keys, with JWKs URI set to (null), referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801257 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/proto.c(1561): [client 10.XX.XX.XX:56556] oidc_proto_jwt_verify: "jwks_uri" is not set, signature validation will only be performed against statically configured keys, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801287 2022] [auth_openidc:error] [pid 9:tid 140588993189632] [client 10.XX.XX.XX:56556] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:986: oidc_jwt_verify]: could not find key with kid: <kid-string-here>, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801344 2022] [auth_openidc:error] [pid 9:tid 140588993189632] [client 10.XX.XX.XX:56556] oidc_oauth_validate_jwt_access_token: JWT access token signature could not be validated, aborting, referer: https://test.myhost.net/
[Wed Mar 30 20:38:57.801404 2022] [auth_openidc:debug] [pid 9:tid 140588993189632] src/util.c(2599): [client 10.XX.XX.XX:56556] oidc_util_hdr_err_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated", referer: https://test.myhost.net/
[Wed Mar 30 20:38:58.293237 2022] [ssl:debug] [pid 9:tid 140589018367744] ssl_engine_kernel.c(415): [client 10.XX.XX.XX:56556] AH02034: Subsequent (No.2) HTTPS request received for child 71 (server test.myhost.net:443), referer: https://test.myhost.net/
[Wed Mar 30 20:38:58.293336 2022] [authz_core:debug] [pid 9:tid 140589018367744] mod_authz_core.c(815): [client 10.XX.XX.XX:56556] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://test.myhost.net/
[Wed Mar 30 20:38:58.293350 2022] [authz_core:debug] [pid 9:tid 140589018367744] mod_authz_core.c(815): [client 10.XX.XX.XX:56556] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://test.myhost.net/

I was able to write a Python script that is able to parse and validate the token completely using the generic metadata url, the client ID and the token, so the secret should not be necessary, and the keys can be retrieved from the key discovery URL.

Here is the Python script:

import sys
import jwt
import json
import requests
from cryptography.hazmat.primitives._serialization import Encoding, PublicFormat
from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend

PEM_START = '-----BEGIN CERTIFICATE-----\n'
PEM_END = '\n-----END CERTIFICATE-----\n'


# get Microsoft Azure public key
def format_key(key):
    n = 64
    chunks = [key[i:i + n] for i in range(0, len(key), n)]
    return "\n".join(chunks)


def get_public_key_for_token(kid):
    print(f"kid: [{kid}]")
    response = requests.get(
        'https://login.microsoftonline.com/common/.well-known/openid-configuration',
    ).json()

    jwks_uri = response['jwks_uri']
    print(f"\njwks_uri: [{jwks_uri}]")
    response_keys = requests.get(jwks_uri).json()
    pubkeys = response_keys['keys']

    public_key = ''

    for key in pubkeys:
        # found the key that matching the kid in the token header
        print(f"\nkey: \n{json.dumps(key, indent=2)}")
        # construct the public key object
        mspubkey = format_key(str(key['x5c'][0]))
        cert_str = PEM_START + mspubkey + PEM_END
        print(f"\ncert_str: [{cert_str}]")
        if key['kid'] == kid:
            cert_obj = load_pem_x509_certificate(bytes(cert_str, 'utf-8'), default_backend())
            public_key = cert_obj.public_key()

    print(f"public_key: [{public_key}]")
    return public_key


jwt_options = {
    'verify_signature': True,
    'verify_exp': True,
    'verify_nbf': True,
    'verify_iat': True,
    'verify_aud': True
}


# decode the given Azure AD access token
def aad_access_token_decoder(client_id, access_token):
    header = jwt.get_unverified_header(access_token)
    public_key = get_public_key_for_token(header['kid'])
    decoded = jwt.decode(access_token,
                         key=public_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo),
                         algorithms='RS256', options=jwt_options, audience=client_id)
    print("\n-----------------------\nParsed-out keys:\n-----------------------")
    for key in decoded.keys():
        print(key + ': ' + str(decoded[key]))


USAGE = sys.argv[0] + ' <CLIENT_ID> <JWT_ACCESS_TOKEN>'


def main():
    if len(sys.argv) < 3:
        print(USAGE)
        exit(1)
    client_id = sys.argv[1]
    print(f"\nClient ID: [{client_id}]")
    token = sys.argv[2]
    print(f"\nToken: [{token}]")
    aad_access_token_decoder(client_id, token)


if __name__ == "__main__":
    main()

This is the Dockerfile for this proxy:

FROM httpd:2.4
WORKDIR /app
COPY conf/httpd.conf /usr/local/apache2/conf/httpd.conf
RUN apt -qq update && apt -yq install libapache2-mod-auth-openidc

[zandbelt]

since you're using OAuth 2.0 RS functionality (mixed with OpenID Connect functionality, through AuthType auth-openidc) you'll need to set OIDCOAuthServerMetadataURL to configure the OAuth 2.0 settings in addition to OIDCProviderMetadataURL, the latter configuring only the OpenID Connect side of things

[bmichaud]

The certificate chain file is set for the SSL Module, but it looks like I have to configure that for this module as well?

[bmichaud]

I don't see either CAfile or CApath in the https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf

[zandbelt]

https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L145-L147

[bmichaud]

Woohoo! It appears to be working now. Thanks!

[Wed Mar 30 22:00:40.574885 2022] [authz_core:debug] [pid 10:tid 140480453011200] mod_authz_core.c(815): [client 10.XX.XX.XX:46070] AH01626: authorization result of Require valid-user : granted, referer: https://pilot.myhost.net/
[Wed Mar 30 22:00:40.574888 2022] [authz_core:debug] [pid 10:tid 140480453011200] mod_authz_core.c(815): [client 10.XX.XX.XX:46070] AH01626: authorization result of <RequireAny>: granted, referer: https://pilot.myhost.net/

[bmichaud]

The app is still not working, but at least now I'm over that hurdle.