need add "access_token_issuer" to the list of expected token issuers

[Safa Achour]

Hello, 

We are using Wildfly 29 integrated with ADFS using OIDC authentication.

when we use API we got issue : 

 org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->*****) rejected due to invalid claims or other invalid content. Additional details: [[12] Issuer (iss) claim value (********/adfs/services/trust) doesn't match expected value of ******/adfs]

After investigation we noticed that on ADFS OIDC configuration (****/adfs/.well-known/openid-configuration)

we have two issuers definition

{ "issuer": "*********/adfs",

--------

--------,

"access_token_issuer": "********/adfs/services/trust",

---------,

}

The issue is that elytron subsytem expects issuer equal "issuer" attribute but ADFS send 

"access_token_issuer" on the generate access token.

is there a why to extend expected issuer list under IssVallidatror?

 

[Safa Achour]

is that possible by configurations ?

[Safa Achour]

any suggestion please? 

we have implemented a customization on elytron module as w quick fix but we still facing the issue using JBOS EAP and we need an official fix for that.

[Diana Krepinska]

The "access_token_issuer" is not part of the OIDC specification so WF does not support it. Can this be addressed in settings of ADFS instead?

[Safa Achour]

Hello, 

This how ADFS generate  access_token , i am not sure if we can customize this part of ADFS system.

As a quick fix, we have introduced a small customization on the "wildfly-elytron-http-oidc" on class TokenValidator:Builder:build()

this is working fine and we can use our REST API call using ADFS tokens.

so we provided this as solution for wildfly instaallation but still facing the same issue with JbossEAP installations.

Best regards,