Failing to getting OIDC auth working with Azure AD

[Stuart Clark]

Hi all,

I'm trying to get OIDC authentication using Azure AD. I've been following the details at https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html but every time I try to login I'm seeing the following error:

Token verification failed. error validating signature: failed to verify signature: failed to verify id token signature

Does anyone have any clues on what to try or look at to debug further as I'm struggling a bit...

Thanks

[Julian Lyndon-Smith]

I'm sure that I had this problem - try and make sure that the callback url in the api call 

is identical to the one defined in azure ad

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com.

[Stuart Clark]

On 2019-09-23 19:24, Julian Lyndon-Smith wrote:
> I'm sure that I had this problem - try and make sure that the callback
> url in the api call
> is identical to the one defined in azure ad
>

OK. So I've figured out the problem, but now totally stumped about what
to do about it.

I did some digging and confirmed that signature validation was failing
because it couldn't find the signing key. It turns out that Azure AD can
use per-application custom signing keys. To access those you have to
adjust the discovery URL by adding an appid=xxx parameter.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-connect-metadata-document

"If your app has custom signing keys as a result of using the
claims-mapping feature, you must append an appid query parameter
containing the app ID in order to get a jwks_uri pointing to your app's
signing key information. For example:
https://login.microsoftonline.com/{tenant}/.well-known/v2.0/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e
contains a jwks_uri of
https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e."

Doing that then gives me a slightly different jwks_url which contains
the correct signing key.

The problem is now how to overcome this issue.

1. Looking through the Vault code it looks like there's no way to add
the extra parameter (the library just takes the base URL and tacks on
the .well-known bit to the end), nor a way to manually supply the
jwks_url in addition to the discovery URL.

2. The documentation suggests that the use of custom signing keys is
because of the claims-mapping feature. Unfortunately I can't see if
there's a way of switching this off for this app, so currently I'm stuck
with this custom signing key.

Has anyone else encountered this in Azure AD?

Could Vault maybe allow the override of the jwks_url?

>> [1].

>
> --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com
> [2].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com?utm_medium=email&utm_source=footer
> [2]
> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com?utm_medium=email&utm_source=footer

--
Stuart Clark

[Jim Kalafut]

Hi Stuart,

Thanks for the submitting the GH issue (https://github.com/hashicorp/vault-plugin-auth-jwt/issues/75) about this. I've not had a chance to dig into this in detail, but I'm glad that it's also on the go-oidc radar. There was another Azure/OIDC peculiarity submitted today as well, so I'll be reviewing Azure support soon.

Thanks,

Jim

> On Mon, 23 Sep 2019 at 18:12, Stuart Clark <stuar...@jahingo.com>

> wrote:
>
>> Hi all,
>>
>> I'm trying to get OIDC authentication using Azure AD. I've been
>> following the details at
>> https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html but
>> every time I try to login I'm seeing the following error:
>>
>> Token verification failed. error validating signature: failed to
>> verify signature: failed to verify id token signature
>>
>> Does anyone have any clues on what to try or look at to debug
>> further as I'm struggling a bit...
>>
>> Thanks
>>
>> --
>> This mailing list is governed under the HashiCorp Community
>> Guidelines - https://www.hashicorp.com/community-guidelines.html.
>> Behavior in violation of those guidelines may result in your removal
>> from this mailing list.
>>
>> GitHub Issues: https://github.com/hashicorp/vault/issues
>> IRC: #vault-tool on Freenode
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "Vault" group.
>> To unsubscribe from this group and stop receiving emails from it,

>> send an email to vault...@googlegroups.com.

>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com
>> [1].
>
>  --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to vault...@googlegroups.com.

[Stuart Clark]

On 2019-09-25 18:27, Jim Kalafut wrote:
> Hi Stuart,
>
> Thanks for the submitting the GH issue
> (https://github.com/hashicorp/vault-plugin-auth-jwt/issues/75) about
> this. I've not had a chance to dig into this in detail, but I'm glad
> that it's also on the go-oidc radar. There was another Azure/OIDC
> peculiarity submitted today as well, so I'll be reviewing Azure
> support soon.
>

Thanks for your quick response. As the linked ticket was a little
general I've raised something specific with go-oidc.

If it helps I can demo the issue in more depth if you want to ping me?

Thanks

> Thanks,
> Jim
>
> On Tuesday, September 24, 2019 at 8:40:51 AM UTC-7, Stuart Clark
> wrote:
>
>> On 2019-09-23 19:24, Julian Lyndon-Smith wrote:
>>> I'm sure that I had this problem - try and make sure that the
>> callback
>>> url in the api call
>>> is identical to the one defined in azure ad
>>>
>>
>> OK. So I've figured out the problem, but now totally stumped about
>> what
>> to do about it.
>>
>> I did some digging and confirmed that signature validation was
>> failing
>> because it couldn't find the signing key. It turns out that Azure AD
>> can
>> use per-application custom signing keys. To access those you have to
>>
>> adjust the discovery URL by adding an appid=xxx parameter.
>>
>>
> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-connect-metadata-document

>> [1]

>>
>> "If your app has custom signing keys as a result of using the
>> claims-mapping feature, you must append an appid query parameter
>> containing the app ID in order to get a jwks_uri pointing to your
>> app's
>> signing key information. For example:
>>
> https://login.microsoftonline.com/{tenant}/.well-known/v2.0/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e

>> [2]

>> contains a jwks_uri of
>>
> https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e

>> [3]."

>>
>> Doing that then gives me a slightly different jwks_url which
>> contains
>> the correct signing key.
>>
>> The problem is now how to overcome this issue.
>>
>> 1. Looking through the Vault code it looks like there's no way to
>> add
>> the extra parameter (the library just takes the base URL and tacks
>> on
>> the .well-known bit to the end), nor a way to manually supply the
>> jwks_url in addition to the discovery URL.
>>
>> 2. The documentation suggests that the use of custom signing keys is
>>
>> because of the claims-mapping feature. Unfortunately I can't see if
>> there's a way of switching this off for this app, so currently I'm
>> stuck
>> with this custom signing key.
>>
>> Has anyone else encountered this in Azure AD?
>>
>> Could Vault maybe allow the override of the jwks_url?
>>
>>> On Mon, 23 Sep 2019 at 18:12, Stuart Clark <stuar...@jahingo.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm trying to get OIDC authentication using Azure AD. I've been
>>>> following the details at

>>>> https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html [4]

>> but
>>>> every time I try to login I'm seeing the following error:
>>>>
>>>> Token verification failed. error validating signature: failed to
>>>> verify signature: failed to verify id token signature
>>>>
>>>> Does anyone have any clues on what to try or look at to debug
>>>> further as I'm struggling a bit...
>>>>
>>>> Thanks
>>>>
>>>> --
>>>> This mailing list is governed under the HashiCorp Community
>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html

>> [5].

>>>> Behavior in violation of those guidelines may result in your
>> removal
>>>> from this mailing list.
>>>>

>>>> GitHub Issues: https://github.com/hashicorp/vault/issues [6]

>>>> IRC: #vault-tool on Freenode
>>>> ---
>>>> You received this message because you are subscribed to the
>> Google
>>>> Groups "Vault" group.
>>>> To unsubscribe from this group and stop receiving emails from it,
>>
>>>> send an email to vault...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>>
>>>
>>
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com

>> [7]

>>>> [1].
>>>
>>> --
>>> This mailing list is governed under the HashiCorp Community
>> Guidelines

>>> - https://www.hashicorp.com/community-guidelines.html [5].

>> Behavior in
>>> violation of those guidelines may result in your removal from this
>>
>>> mailing list.
>>>

>>> GitHub Issues: https://github.com/hashicorp/vault/issues [6]

>>> IRC: #vault-tool on Freenode
>>> ---
>>> You received this message because you are subscribed to the Google
>>
>>> Groups "Vault" group.
>>> To unsubscribe from this group and stop receiving emails from it,
>> send
>>> an email to vault...@googlegroups.com.
>>> To view this discussion on the web visit
>>>
>>
> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com

>> [8]

>>> [2].
>>>
>>>
>>> Links:
>>> ------
>>> [1]
>>>
>>
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com?utm_medium=email&amp;utm_source=footer

>> [9]
>>> [2]
>>>
>>
> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com?utm_medium=email&utm_source=footer
>> [10]
>>
>> --
>> Stuart Clark

>
> --
> This mailing list is governed under the HashiCorp Community Guidelines
> - https://www.hashicorp.com/community-guidelines.html. Behavior in
> violation of those guidelines may result in your removal from this
> mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google
> Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/f6220492-3b93-44f1-aaec-f6398c23fc6b%40googlegroups.com
> [11].
>
>
> Links:
> ------
> [1]
> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-connect-metadata-document
> [2]
> https://login.microsoftonline.com/%7Btenant%7D/.well-known/v2.0/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e
> [3]
> https://login.microsoftonline.com/%7Btenant%7D/discovery/v2.0/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e
> [4] https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html
> [5] https://www.hashicorp.com/community-guidelines.html
> [6] https://github.com/hashicorp/vault/issues
> [7]
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com
> [8]
> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com
> [9]
> https://groups.google.com/d/msgid/vault-tool/4cc53f30-cc0d-4627-a9af-185079f3bbcb%40googlegroups.com?utm_medium=email&amp;amp;utm_source=footer
> [10]
> https://groups.google.com/d/msgid/vault-tool/CAOOcGr0OZBET%2B3vqQo-BkQ%3De5pu9_CeT3EgSs1Kib0ese7tHPA%40mail.gmail.com?utm_medium=email&amp;utm_source=footer
> [11]
> https://groups.google.com/d/msgid/vault-tool/f6220492-3b93-44f1-aaec-f6398c23fc6b%40googlegroups.com?utm_medium=email&utm_source=footer

--
Stuart Clark