此授权交换有什么问题? [英] What's wrong with this authorization exchange?

查看:75
本文介绍了此授权交换有什么问题?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经在Azure网站上使用 PluggableAuth 设置了MediaWiki服务器和 OpenID Connect 扩展名.后者使用 PHP OpenID Connect基本客户端库.我是Azure AD域example.com的管理员,在其中创建了一个应用程序ID URI,登录URL和回复URL都设置为https://wiki.azurewebsites.net/的应用程序.当我导航到Wiki时,观察到以下行为(目前省略了cookie值):

  1. 客户请求

    GET https://wiki.azurewebsites.net/ HTTP/1.1

  2. RP 请求

    GET https://login.windows.net/example.com/.well-known/openid-configuration

  3. IP 响应

    (有些回应)

  4. RP 响应

    HTTP/1.1 302 Moved Temporarily Location: https://login.windows.net/{tenant_id}/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&nonce={nonce}&state={state}

  5. 客户请求

    (跟随重定向)

  6. IP 响应

    HTTP/1.1 302 Found Location: https://wiki.azurewebsites.net/?code={code}&state={state}&session_state={session_state}

  7. 客户请求

    (跟随重定向)

  8. RP 请求(还会重复#2和#3)

    POST https://login.windows.net/{tenant_id}/oauth2/token grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}

  9. IP 响应

    (由MediaWiki解释;我目前没有完整的响应记录)

    AADSTS50001: Resource identifier is not provided.

请注意,如果我在步骤8中将OpenID PHP客户端更改为提供'resource'参数,则会从AAD收到以下错误响应:

  1. RP 请求

    POST https://login.windows.net/{tenant_id}/oauth2/token grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&resource=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}

  2. IP 响应

    AADSTS90027: The client '{client_id}' and resource 'https://wiki.azurewebsites.net/' identify the same application.

    (之前已经出现过.)

更新

我已经根据@jricher的建议取得了一些进展,但是在解决了多个错误之后,我遇到了一个我不知道的错误.完成所有操作后,我将向受影响的库提交拉取请求.

这就是我所做的:

  • 我已将第二个应用程序添加到example.com Azure AD域中,其应用程序ID URI设置为mediawiki://wiki.azurewebsites.net/,作为虚拟资源" .我还授予了https://wiki.azurewebsites.net/应用程序对该新应用程序的委派访问权限.

  • 在步骤#8中以 resource参数的形式传递虚拟应用程序的URI,现在,我将获得#9中的访问,刷新和ID令牌! p>

  • OpenID Connect库要求对ID令牌进行签名,但是当Azure AD签名访问令牌时,它不对ID令牌签名.它具有以下属性:{"typ":"JWT","alg":"none"}.因此,我不得不修改该库,以允许调用者指定未签名的ID令牌被视为已验证" . rr.

  • 好吧,接下来事实证明,由于我指定的OpenID提供者URL和令牌中返回的发行者URL不同,因此无法验证声明. (严重吗?!)因此,必须将提供者指定为https://sts.windows.net/{tenant_id}/ ,然后才能起作用.

  • 接下来,我发现我还没有运行OpenID Connect扩展的MediaWiki DB升级脚本.幸运的是,这是一个快速修复.

  • 在那之后,我现在剩下(我希望是)试图从AAD的OpenID Connect UserInfo端点获取用户信息的最后一个问题.自己的部分.

无法获取用户信息[更新]

这就是我现在被困住的地方.在步骤#9之后,在一个或两个中间请求获取用于验证令牌的元数据和密钥之后,会发生以下情况:

  1. RP 请求:

    (已更新,以根据 MSDN 规范.)

    GET https://login.windows.net/{tenant_id}/openid/userinfo Authorization: Bearer {access_token}

  2. IP 响应:

    400 Bad Request AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.

    (如果我将#10更改为POST请求,主体中为access_token,或者将GET请求更改为查询字符串中具有access_token的GET请求,则AAD返回错误:AADSTS70000: Authentication failed. UserInfo token is not valid.相同如果我使用id_token的值代替我收到的access_token值,则会发生这种情况.)

帮助?

更新

我仍然希望有人可以阐明最后一个问题(UserInfo端点不接受承载令牌),但是我可以将其分解为一个单独的问题.同时,我向库中添加了一些解决方法(即将推出的PR),以便可以使用已经在不记名令牌中返回的声明,而不用对UserInfo端点进行调用.非常感谢所有为此提供帮助的人.

我还有一个烦恼的部分,想知道使用OpenID Connect Basic Profile整个过程是否会更简单.我认为有一个原因不能由MediaWiki扩展实现.

更新2

我刚遇到来自的新帖子Vittorio Bertocci 包括以下有用提示:

...在此请求中,应用程序正在为其自身请求令牌!在Azure AD中,仅当请求的令牌是id_token ...

时,才有可能.

这表明只需将步骤8中的令牌请求类型从authorization_code更改为id_token,就可以消除对非标准resource参数的需要,并且也无需使用丑陋的第二个AAD应用程序.仍然是一种hack,但是感觉却很少.

解决方案

Justin是正确的.对于授权码授予流程,您必须在授权请求或令牌请求中指定resource参数.

使用& resource = https%3A%2F%2Fgraph.windows.net%2F获取Azure AD Graph API的访问令牌.

使用& resource = https%3A%2F%2Fmanagement.core.windows.net%2F获取Azure服务管理API的令牌.

...

希望这会有所帮助

I've set up a MediaWiki server on an Azure website with the PluggableAuth and OpenID Connect extensions. The latter uses the PHP OpenID Connect Basic Client library. I am an administrator in the Azure AD domain example.com, wherein I've created an application with App ID URI, sign-on URL and reply URL all set to https://wiki.azurewebsites.net/. When I navigate to the wiki, I observe the following behavior (cookie values omitted for now):

  1. Client Request

    GET https://wiki.azurewebsites.net/ HTTP/1.1

  2. RP Request

    GET https://login.windows.net/example.com/.well-known/openid-configuration

  3. IP Response

    (some response)

  4. RP Response

    HTTP/1.1 302 Moved Temporarily Location: https://login.windows.net/{tenant_id}/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&nonce={nonce}&state={state}

  5. Client Request

    (follows redirect)

  6. IP Response

    HTTP/1.1 302 Found Location: https://wiki.azurewebsites.net/?code={code}&state={state}&session_state={session_state}

  7. Client Request

    (follows redirect)

  8. RP Request (also repeats #2 & #3)

    POST https://login.windows.net/{tenant_id}/oauth2/token grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}

  9. IP Response

    (As interpreted by MediaWiki; I don't have the full response logged at this time)

    AADSTS50001: Resource identifier is not provided.

Note that if I change the OpenID PHP client to provide the 'resource' parameter in step 8, I get the following error response from AAD instead:

  1. RP Request

    POST https://login.windows.net/{tenant_id}/oauth2/token grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&resource=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}

  2. IP Response

    AADSTS90027: The client '{client_id}' and resource 'https://wiki.azurewebsites.net/' identify the same application.

    (This has come up before.)

Update

I've made some progress based on @jricher's suggestions, but after working through several more errors I've hit one that I can't figure out. Once this is all done I'll submit pull requests to the affected libraries.

Here's what I've done:

  • I've added a second application to the example.com Azure AD domain, with the App ID URI set to mediawiki://wiki.azurewebsites.net/, as a dummy "resource". I also granted the https://wiki.azurewebsites.net/ application delegated access to this new application.

  • Passing in the dummy application's URI as the resource parameter in step #8, I'm now getting back the access, refresh, and ID tokens in #9!

  • The OpenID Connect library requires that the ID token be signed, but while Azure AD signs the access token it doesn't sign the ID token. It comes with the following properties: {"typ":"JWT","alg":"none"}. So I had to modify the library to allow the caller to specify that unsigned ID tokens are considered "verified". Grrr.

  • Okay, next it turns out that the claims can't be verified because the OpenID Provider URL I specified and the issuer URL returned in the token are different. (Seriously?!) So, the provider has to be specified as https://sts.windows.net/{tenant_id}/, and then that works.

  • Next, I found that I hadn't run the MediaWiki DB upgrade script for the OpenID Connect extension yet. Thankfully that was a quick fix.

  • After that, I am now left with (what I hope is) the final problem of trying to get the user info from AAD's OpenID Connect UserInfo endpoint. I'll give that its own section.

Can't get the user info [Updated]

This is where I am stuck now. After step #9, following one or two intermediate requests to get metadata and keys for verifying the token, the following occurs:

  1. RP Request:

    (Updated to use GET with Authorization: Bearer header, per MSDN and the spec.)

    GET https://login.windows.net/{tenant_id}/openid/userinfo Authorization: Bearer {access_token}

  2. IP Response:

    400 Bad Request AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.

    (If I change #10 to be either a POST request, with access_token in the body, or a GET request with access_token in the query string, AAD returns the error: AADSTS70000: Authentication failed. UserInfo token is not valid. The same occurs if I use the value of the id_token in place of the access_token value that I received.)

Help?

Update

I'm still hoping someone can shed light on the final issue (the UserInfo endpoint not accepting the bearer token), but I may split that out into a separate question. In the meantime, I'm adding some workarounds to the libraries (PRs coming soon) so that the claims which are already being returned in the bearer token can be used instead of making the call to the UserInfo endpoint. Many thanks to everyone who's helped out with this.

There's also a nagging part of me that wonders if the whole thing would not have been simpler with the OpenID Connect Basic Profile. I assume there's a reason why that was not implemented by the MediaWiki extension.

Update 2

I just came across a new post from Vittorio Bertocci that includes this helpful hint:

...in this request the application is asking for a token for itself! In Azure AD this is possible only if the requested token is an id_token...

This suggests that just changing the token request type in step 8 from authorization_code to id_token could remove the need for the non-standard resource parameter and also make the ugly second AAD application unnecessary. Still a hack, but it feels like much less of one.

解决方案

Justin is right. For authorization code grant flow, your must specify the resource parameter in either the authorization request or the token request.

Use &resource=https%3A%2F%2Fgraph.windows.net%2F to get an access token for the Azure AD Graph API.

Use &resource=https%3A%2F%2Fmanagement.core.windows.net%2F to get a token for the Azure Service Management APIs.

...

Hope this helps

这篇关于此授权交换有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆