search

AngellusMortis / django_microsoft_auth

Simple app to enable Microsoft Account, Office 365 and Xbox Live authentcation as a Django authentcation backend.
MIT License
137 stars 84 forks source link

token kid not in jwks_uri #413

Open gartmeier opened 4 years ago

gartmeier commented 4 years ago

Description

The authentication fails because the kid returned from the token_endpoint is not included in the response of the jwks_uri.

The following code fails:

    def get_claims(self, allow_refresh=True):
        if self.token is None:
            return None

        token = self.token["id_token"].encode("utf8")

        kid = jwt.get_unverified_header(token)["kid"]
        jwk = None
        public_key = None
        for key in self.jwks:
            if kid == key["kid"]: # <- never matches, there are 3 items in self.jwks
                jwk = key
                break

The config:

{
  "token_endpoint": "https://login.microsoftonline.com/<MICROSOFT_AUTH_TENANT_ID>/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "jwks_uri": "https://login.microsoftonline.com/<MICROSOFT_AUTH_TENANT_ID>/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "https://login.microsoftonline.com/<MICROSOFT_AUTH_TENANT_ID>/v2.0",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "authorization_endpoint": "https://login.microsoftonline.com/<MICROSOFT_AUTH_TENANT_ID>/oauth2/v2.0/authorize",
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "https://login.microsoftonline.com/<MICROSOFT_AUTH_TENANT_ID>/oauth2/v2.0/logout",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "cloud_instance_host_name",
    "cloud_graph_host_name",
    "msgraph_host",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "tenant_region_scope": "EU",
  "cloud_instance_name": "microsoftonline.com",
  "cloud_graph_host_name": "graph.windows.net",
  "msgraph_host": "graph.microsoft.com",
  "rbac_url": "https://pas.windows.net"
}

Do you have any idea what could cause kids not to match?

Environment Setup Steps

  1. Steps 1 & 2 of https://django-microsoft-auth.readthedocs.io/en/latest/usage.html
  2. Created Enterprise Application
  3. Added setting MICROSOFT_AUTH_CLIENT_ID = '<Application (client) ID>'
  4. Added setting MICROSOFT_AUTH_TENANT_ID = '<Directory (tenant) ID>'
  5. Added redirect URL 'http://localhost:8000/microsoft/auth-callback/' to application
  6. Create client secret and add setting MICROSOFT_AUTH_CLIENT_SECRET = ''

Steps to Reproduce

  1. Navigate to http://localhost:800/admin/
  2. Click on "Microsoft" button
  3. Enter Microsoft Credentials

Expected Result: User is created and logged in Actual Result: Failed to authenticate you for an unknown reason

Screenshot 2020-05-26 at 15 10 18