search

fancyDevelopment / Fancy.ResourceLinker

A set of libraries to easily create API Gateways, Backend for Frontends (BFF) and truly RESTful Web APIs based on ASP.NET Core
Apache License 2.0
18 stars 5 forks source link

Token validation with Microsoft Entra ID makes problems #26

Closed fancyDevelopment closed 6 months ago

Pieter-1337 commented 8 months ago

@fancyDevelopment could you provide some more details concerning the issue, what kind of error are we facing and what are the circumstances to replicate this issue? I am using the package and logging in via azure B2C.

In this setup I created a susi flow and I added an idp (Microsoft Entra) with openId Connect to the flow. With this setup users can sign up and sign in for an account, or sign in via the federated idp.

I did not encounter any issues. I also added google as social login to the Entra tenant and I am also able to login with google accounts (federated in B2C).

fancyDevelopment commented 7 months ago

Hi @Pieter-1337, thanks again for the offer to help.

This is the Exception I get when I try using Microsoft Entra Id (not AAD B2C - I can confirm this works):

The token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token) at Fancy.ResourceLinker.Gateway.Authentication.TokenService.GetAccessTokenClaimsAsync() in C:\Dev\Projects\Fancy.ResourceLinker\src\Fancy.ResourceLinker.Gateway\Authentication\TokenService.cs:line 152 at Fancy.ResourceLinker.Gateway.Authentication.GatewayAuthentication.<>c.<<UseGatewayAuthentication>b__3_0>d.MoveNext() in C:\Dev\Projects\Fancy.ResourceLinker\src\Fancy.ResourceLinker.Gateway\Authentication\GatewayAuthentication.cs:line 193 --- End of stack trace from previous location --- at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Somehow the token can not be read.

To work on this issue you can use this environment: https://github.com/fancyDevelopment/Fancy.ResourceLinker-Sample/tree/bug/entra-id if you want. I already set up everything to auth to Entra Id and added the Fancy.ResourceLinker Libs as Project References. All you have to do to use this is to check out this project and the one in the link into the same folder and adjust your tenant guid and client id guid the configuration of the gateway.

Don't hesitate to ask if you need any further assistance.

Pieter-1337 commented 7 months ago

Hey @fancyDevelopment I will have some time to take a look next week, thx for the preparation!

Pieter-1337 commented 6 months ago

@fancyDevelopment I added my authority clientId & Client secret from an app registration in my entra Id tenant an navigated to 5100, I managed to login and am getting an access and id token as I would expect. Am I doing something wrong to replicate the issue?

fancyDevelopment commented 6 months ago

Hi @Pieter-1337, I just tried it again and have still issues. During my analysis now I can say that it seems that I don't get a well formatted access token.

I want to make sure we talk about the same things. You mentioned you added your client id. But this should not be necessary. You have to adjust this section of the config: 

"Gateway": {
    "Authentication": {
      "Authority": "https://login.microsoftonline.com/<Your Tenant ID>/",
      "ClientId": "<Your Client ID>",
      "AuthorizationCodeScopes": "openid offline_access",
      "SessionTimeoutInMin": 1,
      "UniqueIdentifierClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
    },

There is no client secred needed. Are we really talking about the same?

Pieter-1337 commented 6 months ago

@fancyDevelopment image

It is the same configuration settings it seems me me the Client secret I fill in is from an App registration on Azure

When I then navigate to localhost:5100 and login I get following response in console image

Pieter-1337 commented 6 months ago

@fancyDevelopment I do notice that I have a suffix of /v2,0 on my authority, perhaps the older versions return a differently formatted token?

fancyDevelopment commented 6 months ago

Hi @Pieter-1337, thank you very much. Your first screenshot looked like a b2c tenant. This worked for me too without any problems, also at customer projects. Now I also added v2.0 on my Entra ID url and I can confirm it works now. Without I get a not correctly formated access token. Thank you very much for this very important hint. So no code change is necessary.