CAS delegated auth - AzureAD

[Catalin]

Hi,

I'm trying to delegate auth to Azure AD in CAS 6.6.13. 

It seems to delegate the auth to azure, the login is done but afterwards it fails when trying to decode the returned JWT

here's the error:

: [DelegatedClientAuthenticationHandler]: [org.pac4j.core.exception.TechnicalException: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found / com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found]

and this happens because the sign keys are not matching, so in azure there are some commons keys and there seems to be some client specific keys. 

In the case of client specific sign keys, the discovery url should look like this:

https://login.microsoftonline.com/<tenantID>/.well-known/openid-configuration?appid=<clientID>

as you can see the appid paremeter at the end, here's some azure explanation why the keys are specific for app: https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad

I tried to add the discovery-url obviously from cas.properties, but from what have debugged the value is hardcoded in:

org.pac4j.oidc.config.AzureAdOidcConfiguration

code snippet below:

@Override
public String getDiscoveryURI() {
return "https://login.microsoftonline.com/" + tenant + "/.well-known/openid-configuration";
}

I also checked the altest pac4j sources, and the code is similar

here the cas properties that I added in order to enable this delegation

cas.authn.pac4j.oidc[0].azure.tenant=tenantID
cas.authn.pac4j.oidc[0].azure.id=clientID
cas.authn.pac4j.oidc[0].azure.secret=secret
cas.authn.pac4j.oidc[0].azure.client-name=Azure
cas.authn.pac4j.oidc[0].azure.display-name=Azure Login
cas.authn.pac4j.oidc[0].azure.principal-attribute-id=name
cas.authn.pac4j.oidc[0].azure.callback-url=http://localhost:81/cas/login?client_name=Azure
cas.authn.pac4j.oidc[0].azure.discovery-uri=https://login.microsoftonline.com/tenantID/.well-known/openid-configuration?appid=clientID

So is this a limitation in pac4j? is there any easy way on how to override that discovery URL? I was thinking to try something with byte buddy

Any suggestions appreciated

thanks

[Pablo Vidaurri]

Wow, perfect timing. I was about to ask if the discovery URL is the only URL that needs to be allowed thru our firewall because fudging out the one in my cas.properties did not seem to make a difference. Thanks for pointing out it is hardcoded and based on tenant id. It explains why it's working on my localhost but not in our DMZ.

I'm not sure why your query param is "appid". Mine is "client_name". I also use the following:

cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER

as I read in Azure AD config that it does not like query params in the redirect URL.

I have also had to comment out these 3 lines and Azure was returning the wrong token and turns out default settings is enough for me. Maybe you are trying to parse the wrong token (user token instead of authorization token). Also note the scope I use.

#cas.authn.pac4j.oidc[0].azure.response-mode=form_post
#cas.authn.pac4j.oidc[0].azure.response-type=id_token
#cas.authn.pac4j.oidc[0].azure.response-type=code
cas.authn.pac4j.oidc[0].azure.scope=openid profile email

[Catalin]

I suppose is because there are specific claims and I can confirm that

check the docs here: https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad

does not matter in the end what jwt access or id since it fails to validate them

Azure works fine with the above configuration (with the discovery url with appid) if used with spring boot oauth2 resource server or client. 

I did that and it fails with the same error that is fails to validate the token due to the signatures not matching, so when I tried to with CAS/Azure the error was knew to me since I tried it first with spring boot