Elytron-oidc: AzureAD token validation fails due to "typ" claim
42 views
Skip to first unread message
Dba SP
Jun 5, 2023, 10:57:31 AM6/5/23
to WildFly
Hello all,
I am using wildfly elytron oidc to secure our ressource server with a bearer token. While using keycloak as oidc provider everything works fine, however if we configure elytron to check tokens against an AzureAD app, the validation of the token fails. It fails because of org.wildfly.security.http.oidc.TokenValidator.TypeValidator: This validator expects that the access token has a claim named "typ" with the content "Bearer". While keycloak puts this claim into its token, AzureAD is not (and as far is I knmow, it is not possible to put this claim into an AzureAD token).
I could not find anything about a mandatory claim "typ" in the oidc , so the type-claims seems to be keycloak related?
Is there any way to turn this validation of, so that tokens without this claim can be used successfully?
(Or are we doing something completly wrong?)
I would appreciate any hint :)
(used versions of elytron: 2.0.0 and 2.2.0)
I am using wildfly elytron oidc to secure our ressource server with a bearer token. While using keycloak as oidc provider everything works fine, however if we configure elytron to check tokens against an AzureAD app, the validation of the token fails. It fails because of org.wildfly.security.http.oidc.TokenValidator.TypeValidator: This validator expects that the access token has a claim named "typ" with the content "Bearer". While keycloak puts this claim into its token, AzureAD is not (and as far is I knmow, it is not possible to put this claim into an AzureAD token).
I could not find anything about a mandatory claim "typ" in the oidc , so the type-claims seems to be keycloak related?
Is there any way to turn this validation of, so that tokens without this claim can be used successfully?
(Or are we doing something completly wrong?)
I would appreciate any hint :)
(used versions of elytron: 2.0.0 and 2.2.0)
Farah Juma
Jun 5, 2023, 11:42:30 AM6/5/23
to Dba SP, WildFly
The "typ" claim is indeed Keycloak specific. We will be adding a system property that could be used to disable the "typ" claim validation when using an OpenID provider other than Keycloak (see ELY-2564).
In the meantime, I believe it should be possible to configure AzureAD to include a custom claim called "typ" with value "Bearer" to work around this problem for now.
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/f8879c06-1494-46ff-87c7-6adeea3e58d0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages