Token verification error, what should I verify?

[ghost]

Hello,

Things are working nice for me with mod_auth_openidc and I'm giving a try to mod_oauth2 to improve an API access that is used for system to system integration (using a service account / user).

I have installed latest with required dependency and use browser and postman to test the setup.

I have tried different things but I'm stuck getting a failure on token verification:

oauth2_jose_jwt_verify_jwk: cjose_jws_verify failed: [jws.c:953 _cjose_jws_verify_sig_rs error:04091068:rsa routines:int_rsa_verify:bad signature]

oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Token could not be verified."

Things seems to be ok on postman side, I use the jwk url that is declared in Azure Ad metadata for my app.

I use something like this in my location

  AuthType oauth2
  OAuth2TokenVerify jwks_uri https://login.microsoftonline.com/MY_APP_ID_REMOVED/discovery/v2.0/keys jwks_uri.ssl_verify=false
  OAuth2AcceptTokenIn header

I will get back to the problem with a fresher head but would gladly take tips of things I could try or double check to get past this hurdle.

Thanks!
Eric

[ghost]

I have tried and validated a few other things, still not understand what could be missing.
For a moment I tough it could be a failing check on ipaddr claim (because of vpn / waf), I browsed the code a bit but was not able to find where it was implemented (called in liboauth2).

The only other thing I noticed is that I can get to the ressource if I use the id token instead of the access token... no the solution but an observation.

[zandbelt]

it looks like you've configured the wrong jwks_uri, namely the one that has the OIDC provider keys (signing the id_token) rather than the OAuth 2.0 provider keys (signing the access token).

[ghost]

Thanks for input.

I have tried a simpler test (using python) and I do get Signature verification failed
kid in the access token match with one of the available key in the jwks data (also noticed kid is the same in id and access token, could be a hint of something wrong)?.

There is something in the documentation about custom mapping (discussed here : https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad) but using the specific appId doesnt seem to change anything. Maybe something that is missing in our app configs in Azure.

I'll read some more and get back if I find something else.

[ghost]

I think I have something that could be related here : AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#609

If you use scopes like "User.read", "openid", "profile", "email", ... You'll see that the audience value in the JWT access token will be set to graph.microsoft.com.
So the token is indeed for graph, and not for your application.

It's very likely a bad understanding on my part, I should use custom api scope instead of the graph one.

[ghost]

Yes. Looks ok (and I do understand why now). I did try declaring the api scope yesterday, but was missing some understanding.

So I have to declare scope that will be related to the ressource server and then define use this scope when getting the token. I was able to get postive validation and access to the ressource.

Sorry for the false error!

[zandbelt]

ok, thanks for reporting back; this discussion is useful for later reference

[ghost]

Yes thanks!