Is Azure AD B2C Supported in CAS 6.6.8?
43 views
Skip to first unread message
Pablo Vidaurri
Aug 3, 2023, 10:33:47 PM8/3/23
to CAS Community
Not sure if there is a difference between Azure AD and Azure AD B2C. is B2C supported in CAS 6.6.8?
cas.authn.azure-active-directory.client-secret=xxxx
cas.authn.azure-active-directory.tenant=xxx
cas.authn.azure-active-directory.scope=xxx
Error message:
2023-08-03 17:21:59,481 TRACE [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] - <Fetching token for [x...@xxxx.com]>
2023-08-03 17:21:59,493 DEBUG [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] - <Acquiring token for resource [https://graph.microsoft.com/] and client id [xxxxx] for user [x...@xxxxx.com]>
2023-08-03 17:22:00,192 ERROR [com.microsoft.aad.adal4j.AuthenticationContext] - <[Correlation ID: xxxxx] Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.>
com.microsoft.aad.adal4j.AuthenticationException: {"trace_id":"xxx","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the xxxxx.com directory. To sign into this application, the account must be added to the directory.Trace ID: xxxx Correlation ID: xxxxx Timestamp: 2023-08-03 22:22:00Z","correlation_id":"xxxxx","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03 22:22:00Z"}
at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) ~[adal4j-1.6.7.jar!/:1.6.7]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:834) ~[?:?]
2023-08-03 17:21:59,481 TRACE [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] - <Fetching token for [x...@xxxx.com]>
2023-08-03 17:21:59,493 DEBUG [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] - <Acquiring token for resource [https://graph.microsoft.com/] and client id [xxxxx] for user [x...@xxxxx.com]>
2023-08-03 17:22:00,192 ERROR [com.microsoft.aad.adal4j.AuthenticationContext] - <[Correlation ID: xxxxx] Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.>
com.microsoft.aad.adal4j.AuthenticationException: {"trace_id":"xxx","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the xxxxx.com directory. To sign into this application, the account must be added to the directory.Trace ID: xxxx Correlation ID: xxxxx Timestamp: 2023-08-03 22:22:00Z","correlation_id":"xxxxx","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03 22:22:00Z"}
at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38) ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) ~[adal4j-1.6.7.jar!/:1.6.7]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:834) ~[?:?]
Pablo Vidaurri
Aug 9, 2023, 3:50:18 PM8/9/23
to CAS Community, Pablo Vidaurri
Still having an issue. Trying to figure out if it's a config issue on CAS side or a setup issue on Azure AD side.
We are spinning up a new instance of Azure AD B2C. I was given an endpoint with an example payload to use to verify user credentials. Using postman, that api works. But it does not appear CAS is doing the same.
API used via postman where b2c_xxx_ropc is the user policy flow:
POST /b2cxyz.xxxx.xxx/b2c_xxx_ropc/oauth2/v2.0/token HTTP/1.1
Host: xxxxxxx.b2clogin.com
Content-Type: application/x-www-form-urlencoded
body:
grant_type:password
scope:openid <my-client-id>
username:some...@mydomain.com
password:myPwd123
client_id:<my-client-id>
response_type:token id_token
Host: xxxxxxx.b2clogin.com
Content-Type: application/x-www-form-urlencoded
body:
grant_type:password
scope:openid <my-client-id>
username:some...@mydomain.com
password:myPwd123
client_id:<my-client-id>
response_type:token id_token
I get back a token. Now trying with CAS:
For CAS, i'm using below config for Azure AD:
cas.authn.azure-active-directory.client-id<my-client-id>
cas.authn.azure-active-directory.login-url=https://
xxxxxxx.b2clogin.com/b2cxyz.xxxx.xxx/b2c_xxx_ropc/oauth2/v2.0/token
Message in log:
[Invalid credentials: com.microsoft.aad.adal4j.AuthenticationException: Server returned HTTP response code: 404 for URL : https://
xxxxxxx.b2clogin.com/common/userrealm/someuser@
.com?api-version=1.0, Error details : The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.].>
Any assistance would be appreciated.
-psv
Ray Bon
Aug 9, 2023, 4:44:11 PM8/9/23
to cas-...@apereo.org, psvid...@gmail.com
Pablo,
This logger may help:
<!-- DEBUG outbound and inbound headers and response as it is sent -->
<AsyncLogger name="org.apache.http.wire" level="debug" />
Ray
On Wed, 2023-08-09 at 12:12 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
com.microsoft.aad.adal4j.AuthenticationException: {"trace_id":"xxx","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in thexxxxx.com directory. To sign into this application, the account must be added to the directory.Trace ID: xxxx Correlation ID: xxxxx Timestamp: 2023-08-03 22:22:00Z","correlation_id":"xxxxx","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03 22:22:00Z"}
Reply all
Reply to author
Forward
0 new messages