与v2.0端点连接的OpenID:错误的"iss"在JWT中索赔！ [英] OpenID Connect with v2.0 endpoint: Incorrect "iss" claim in JWT!

问题描述

基于此文档，我正在将v2.0端点与新的应用程序注册(预览)一起使用以保护API，网址为:https://docs.microsoft.com/zh-cn/azure/active -directory/develop/quickstart-configure-app-access-web-apis.

当我尝试使用https://github.com/keycloak/keycloak-gatekeeper登录以充当身份验证代理时. JWT验证失败，因为JWT中的发行者与v2.0发现端点中指定的不匹配.我能够始终如一地解决这个问题 具有多个应用程序注册. 

发现端点:https://login.microsoftonline.com/< redacted>/v2.0/.well-known/openid-configuration

每个发现端点的预期ISS:https://login.microsoftonline.com/< redacted>/v2.0

JWT令牌中的实际ISS:  https://sts.windows.net/< redacted>/

错误消息:错误":"oidc:JWT声明无效:声明值无效:'iss'.期望= https://login.microsoftonline.com/< redacted>/v2.0，找到= https://sts.windows.net/< redacted>/."

但是，JWT令牌中返回的ISS值与v1发现端点(https://login.microsoftonline.com/<redacted>/.well-known/openid-configuration)的发行者值匹配. /p>

Keycloak-gatekeeper使用github.com/coreos/go-oidc委托OIDC身份验证流，这是一个广泛使用的库.我坚信Azure实施是不正确的，因为该库可与大多数其他OIDC实施正常工作.

在用额外的日志记录构建了自己的keycloak-gatekeeper分支之后，我发现"ver"字样会出现. JWT令牌中的ID字段在IDToken和AccessToken之间是不同的. ID令牌是Azure AD v2.0令牌，而访问令牌是 v1.0令牌.它们都从Azure AD返回到相同的响应正文中！

这怎么可能?我该如何解决?

解决方案

我相信ver字段可能会有所不同，因为ID令牌将用于客户端，而ID令牌将用于客户端.访问令牌将用于API. http://www.andrewconnell.com/blog/azure-ad-oauth2-openid-connect

根据您的错误，可能似乎缺少iss值(发布者URL).https://docs.microsoft.com/zh-cn/azure/app-service/configure-authentication-provider-aad

I'm using the v2.0 endpoint with a new App Registration (Preview) to secure an API, based on this documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis.

When I try to login using https://github.com/keycloak/keycloak-gatekeeper to act as an authenticating proxy. The JWT validation fails as the issuer in the JWT does not match what is specified in the v2.0 discovery endpoint. I'm able to repro this issue consistently with multiple application registrations. 

Discovery endpoint: https://login.microsoftonline.com/<redacted>/v2.0/.well-known/openid-configuration

Expected ISS per discovery endpoint: https://login.microsoftonline.com/<redacted>/v2.0

Actual ISS in JWT token: https://sts.windows.net/<redacted>/

Error message: "error": "oidc: JWT claims invalid: invalid claim value: 'iss'. expected=https://login.microsoftonline.com/<redacted>/v2.0, found=https://sts.windows.net/<redacted>/."

However, the ISS value returned in the JWT token matches the issuer value as per the v1 discovery endpoint (https://login.microsoftonline.com/<redacted>/.well-known/openid-configuration).

Keycloak-gatekeeper uses github.com/coreos/go-oidc to delegate OIDC auth flows which is a widely used library. I strongly believe that the Azure implementation is incorrect as this library works fine with most other OIDC implementations.

Edit:

After building my own fork of keycloak-gatekeeper with additional logging, I figured out that the "ver" field in the JWT tokens are different between the IDToken and AccessToken. The ID Token is an Azure AD v2.0 token and the Access Token is a v1.0 token. They are both returned in the same response body from Azure AD!

How is this possible? How can I fix this?

解决方案

I believe that the ver field can be different since ID token would be used for the client while the access token would be used for the API. http://www.andrewconnell.com/blog/azure-ad-oauth2-openid-connect

Based on your error it looks like the iss value (issuer URL) might be missing. https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

这篇关于与v2.0端点连接的OpenID:错误的"iss"在JWT中索赔！的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！