Issues in verifying signature of bearer token generated for Azure AD #40494
Comments
|
/cc @geoand (kotlin), @pedroigor (bearer-token), @sberyozkin (bearer-token) |
|
Hi @effusion AFAIK, nothing related to the signature verification process has changed. Can you set up a test Azure account that I can use (in another issue closed just today it was confirmed it was working with Entra ID), you can forward the link to me at sbiarozk at redhat com or ping privately at zulip if you'd like, and CC to someone else ? |
|
@effusion Not sure if it is relevant, but there are some cases with Azure where the JWT token headers have to be preprocessed, which is achieved with https://github.com/quarkusio/quarkus/blob/main/integration-tests/oidc-wiremock/src/main/resources/application.properties#L179 You don't even have to share a test account link with me, but if you can share a |
|
Hi @sberyozkin, I can provide you with an invalid token, but I need to figure out how to provide the public JsonWebKey. I'll get back to you as soon as I have everything. |
|
@effusion Hi,
It is in I'm not sure yet about the customizer, but something might have changed on the Azure end...Let's see what my test will show |
|
@sberyozkin I just sent you a mail containing the info to your RedHat mail address, which is also the password for the zip file. |
|
Thanks @effusion, my tests show adding a customizer (the token header preprocessor) resolve the problem. It looks like Azure is changing the way it issues tokens depending on some factors |
|
I'll need to improve on the error message to make it clear that a code flow access token and not ID token verification which is failing |
Describe the bug
Hello,
We tried to update the Quarkus BOM version from 3.8.3 to 3.9.5/3.10.0 and now get an error when logging in with Azure OIDC.
Expected behavior
The update of the BOM version should not break OIDC Authentication, and logging should be possible.
Actual behavior
The Azure login page is shown with a password prompt and 2FA when opening the app URL. After entering the 2FA code, the App responds with a 401. The following error is shown in the log:
ID token verification has failed: JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: .....We did not change any properties. Everything works with Version 3.8.3.
How to Reproduce?
Output of
uname -aorverDarwin ultima-thule.local 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000 arm64
Output of
java -versionopenjdk version "21.0.1" 2023-10-17 LTS OpenJDK Runtime Environment Zulu21.30+15-CA (build 21.0.1+12-LTS) OpenJDK 64-Bit Server VM Zulu21.30+15-CA (build 21.0.1+12-LTS, mixed mode, sharing)
Quarkus version or git rev
3.9.5, 3.10.0
Build tool (ie. output of
mvnw --versionorgradlew --version)------------------------------------------------------------ Gradle 8.7 ------------------------------------------------------------ Build time: 2024-03-22 15:52:46 UTC Revision: 650af14d7653aa949fce5e886e685efc9cf97c10 Kotlin: 1.9.22 Groovy: 3.0.17 Ant: Apache Ant(TM) version 1.10.13 compiled on January 4 2023 JVM: 21.0.1 (Azul Systems, Inc. 21.0.1+12-LTS) OS: Mac OS X 14.4.1 aarch64
Additional information
Current app configuration.
The text was updated successfully, but these errors were encountered: