Azure ADB B2C MS Edge : com.nimbusds.jwt.proc.BadJWTException: Unexpected JWT nonce (nonce) claim
87 views
Skip to first unread message
aniket warey
Jan 10, 2023, 6:48:30 AM1/10/23
to Pac4j users mailing list
Hi ,
I'm getting this error constantly when I click on Sign-In of IDP . Any clue what's going wrong ? Its basically failing at Callback step .
I'm getting this error constantly when I click on Sign-In of IDP . Any clue what's going wrong ? Its basically failing at Callback step .
Error Log :
Caused by: com.nimbusds.jwt.proc.BadJWTException: Unexpected JWT nonce (nonce) claim: saDMyncSTuHY550M1tJtzVhxYiwiCU3JzN-37OX3BFw
at com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier.verify(IDTokenClaimsVerifier.java:252)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.verifyClaims(DefaultJWTProcessor.java:295)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:400)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:94)
... 41 more
Here are other details that may help :
Application type : Java Web
Browser : MS Edge
IDP : Azure AD B2C
pac4j version : jee-pac4j 5.4.5
Caused by: com.nimbusds.jwt.proc.BadJWTException: Unexpected JWT nonce (nonce) claim: saDMyncSTuHY550M1tJtzVhxYiwiCU3JzN-37OX3BFw
at com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier.verify(IDTokenClaimsVerifier.java:252)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.verifyClaims(DefaultJWTProcessor.java:295)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:400)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:94)
... 41 more
Here are other details that may help :
Application type : Java Web
Browser : MS Edge
IDP : Azure AD B2C
pac4j version : jee-pac4j 5.4.5
Security config :
final OidcConfiguration b2cConfiguration = new OidcConfiguration ();
b2cConfiguration.setClientId (azureB2cClientId);
b2cConfiguration.setSecret (azureB2cClientSecret);
b2cConfiguration.setDiscoveryURI (azureB2cDiscovery);
b2cConfiguration.setUseNonce (true);
b2cConfiguration.setWithState (false);
b2cConfiguration.setScope (scope);
b2cConfiguration.setMaxClockSkew (60);
b2cConfiguration.setClientAuthenticationMethod (ClientAuthenticationMethod.CLIENT_SECRET_POST);
b2cConfiguration.setLogoutUrl (postLogoutUrl);
// Azure B2C Client
final OidcClient b2cClient = new OidcClient (b2cConfiguration);
b2cClient.setCallbackUrlResolver (new NoParameterCallbackUrlResolver ());
b2cConfiguration.setClientId (azureB2cClientId);
b2cConfiguration.setSecret (azureB2cClientSecret);
b2cConfiguration.setDiscoveryURI (azureB2cDiscovery);
b2cConfiguration.setUseNonce (true);
b2cConfiguration.setWithState (false);
b2cConfiguration.setScope (scope);
b2cConfiguration.setMaxClockSkew (60);
b2cConfiguration.setClientAuthenticationMethod (ClientAuthenticationMethod.CLIENT_SECRET_POST);
b2cConfiguration.setLogoutUrl (postLogoutUrl);
// Azure B2C Client
final OidcClient b2cClient = new OidcClient (b2cConfiguration);
b2cClient.setCallbackUrlResolver (new NoParameterCallbackUrlResolver ());
Jérôme LELEU
Jan 11, 2023, 5:33:18 AM1/11/23
to aniket warey, Pac4j users mailing list
Hi,
It seems that the nonce returned in the ID token is not the one you originally provided on the /authorize URL.
Can you try : b2cConfiguration.setUseNonce (false); ?
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/d8ebd2cd-3a3b-4f42-ad6e-38eb993df51fn%40googlegroups.com.
aniket warey
Jan 11, 2023, 6:11:59 AM1/11/23
to Pac4j users mailing list
Here is what happens if I set the nonce flag to false . The callback doesn't take me to originally requested URL, and just stops the chain . Plus there is no error logs now .
Here is the entire configuration :
// Azure B2C configuration
final OidcConfiguration b2cConfiguration = new OidcConfiguration ();
b2cConfiguration.setClientId (azureB2cClientId);
b2cConfiguration.setSecret (azureB2cClientSecret);
b2cConfiguration.setDiscoveryURI (azureB2cDiscovery);
b2cConfiguration.setUseNonce (false);
b2cConfiguration.setWithState (false);
b2cConfiguration.setScope (scope);
b2cConfiguration.setResponseMode("form_post");
// 60 secs
b2cConfiguration.setMaxClockSkew (60);
b2cConfiguration
.setClientAuthenticationMethod (ClientAuthenticationMethod.CLIENT_SECRET_POST);
b2cConfiguration.setLogoutUrl (postLogoutUrl);
// Azure B2C Client
final OidcClient b2cClient = new OidcClient (b2cConfiguration);
// Using NoParameterCallbackUrlResolver, no client_name parameter is added to callback url
// else pac4j will forcibly add one , and it will result in mismatch in redirect URL with IDP
b2cClient.setCallbackUrlResolver (new NoParameterCallbackUrlResolver ());
// This is the name which is referred in web.xml
b2cClient.setName ("azureB2cClient");
final Clients clients = new Clients (
redirectUrl,
b2cClient
);
final Config config = new Config (clients);
// Done to avoid CSRF checks
config.addAuthorizer ("mustBeAuth", new IsAuthenticatedAuthorizer ());
config.setAuthorizer (new IsAuthenticatedAuthorizer ());
Here is the entire configuration :
// Azure B2C configuration
final OidcConfiguration b2cConfiguration = new OidcConfiguration ();
b2cConfiguration.setClientId (azureB2cClientId);
b2cConfiguration.setSecret (azureB2cClientSecret);
b2cConfiguration.setDiscoveryURI (azureB2cDiscovery);
b2cConfiguration.setWithState (false);
b2cConfiguration.setScope (scope);
b2cConfiguration.setResponseMode("form_post");
// 60 secs
b2cConfiguration.setMaxClockSkew (60);
b2cConfiguration
.setClientAuthenticationMethod (ClientAuthenticationMethod.CLIENT_SECRET_POST);
b2cConfiguration.setLogoutUrl (postLogoutUrl);
// Azure B2C Client
final OidcClient b2cClient = new OidcClient (b2cConfiguration);
// else pac4j will forcibly add one , and it will result in mismatch in redirect URL with IDP
b2cClient.setCallbackUrlResolver (new NoParameterCallbackUrlResolver ());
// This is the name which is referred in web.xml
b2cClient.setName ("azureB2cClient");
final Clients clients = new Clients (
redirectUrl,
b2cClient
);
final Config config = new Config (clients);
// Done to avoid CSRF checks
config.addAuthorizer ("mustBeAuth", new IsAuthenticatedAuthorizer ());
config.setAuthorizer (new IsAuthenticatedAuthorizer ());
Jérôme LELEU
Jan 11, 2023, 6:15:37 AM1/11/23
to aniket warey, Pac4j users mailing list
Hi,
OK. For Azure, you should generally use the PathParameterCallbackUrlResolver.
Use nonce again: b2cConfiguration.setUseNonce (true);
Can you check the nonce generated in the /authorize URL and the one provided in the ID token? Are they the same?
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/72879594-88c9-4c0a-a190-a1769ddfb109n%40googlegroups.com.
aniket warey
Jan 11, 2023, 7:22:03 AM1/11/23
to Pac4j users mailing list
I'd like to go with
b2cConfiguration.setUseNonce (false);
path really. The only thing stopping me doing is that callback is not loading originally requested URL . It instead loads a js file , i.e. serviceWorker.js . So basically browser opens up that js file for user .
And browser ends up loading this js file instead of taking user to an actual page :
aniket warey
Jan 11, 2023, 7:41:08 AM1/11/23
to Pac4j users mailing list
Or sometimes , just this happens (with b2cConfiguration.setUseNonce (false); ) . Not sure why Callback is not taking me to requested action
Debugging hints that it will execute the action url , but doesn't I guess
Debugging hints that it will execute the action url , but doesn't I guess
aniket warey
Jan 11, 2023, 8:44:44 AM1/11/23
to Pac4j users mailing list
With
b2cConfiguration.setUseNonce (true);
the nonce is same in authorize URL & token , but still I'm getting the error
Nonce in authorise request :
Nonce in authorise request :
Nonce found in error log
Maybe I'm not using correct combination of jars (in terms of this JWT validation) ?
Maybe I'm not using correct combination of jars (in terms of this JWT validation) ?
aniket warey
Jan 11, 2023, 9:31:33 AM1/11/23
to Pac4j users mailing list
Now see the nonce in authorise url
Nonce in token (which is same in authorise url) :
I think this is the place , where the expected nonce is going wrong in pac4j during callback :
And ultimately as expected nonce & token nonce aren't the same , hence it fails here :
Jérôme LELEU
Jan 12, 2023, 1:51:50 AM1/12/23
to aniket warey, Pac4j users mailing list
Hi,
I think the nonce stored in session may be null which would generate a new one.
Can you check that (in OidcProfileCreator)?
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/a6ecfdfc-7a5c-4cd9-a617-589e46c2b442n%40googlegroups.com.
aniket warey
Jan 12, 2023, 5:39:35 AM1/12/23
to Pac4j users mailing list
Yep , that could be the reason that it is getting new nonce . Note that this doesn't happen every time , it happens randomly , so not sure .
In the end , I turned off b2cConfiguration.setUseNonce (false); and made some changes to DefaultSavedRequestHandler to handle the js file being loaded by browser & form action not being submitted . Basically , I use default URL every time.
In the end , I turned off b2cConfiguration.setUseNonce (false); and made some changes to DefaultSavedRequestHandler to handle the js file being loaded by browser & form action not being submitted . Basically , I use default URL every time.
aniket warey
Jan 12, 2023, 5:40:01 AM1/12/23
to Pac4j users mailing list
Thanks Jérôme for guiding with this . Really appreciated .
Reply all
Reply to author
Forward
0 new messages