Azure AD: access token validation via oidc_jwt_keyfile endpoint

[shawnhankim]

Issue:

1. Most of IdPs' $oidc_jwt_keyfile endpoint works for access token validation. But Azure AD doesn't work as the following message:

   [info] 87#87: *500 JWT RS validation failed kid:"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI" (SSL: error:04091068:rsa routines:int_rsa_verify:bad signature), client: 172.18.0.1, server: nginx.azure.test, request: "GET /v1/api/example HTTP/1.1", host: "nginx.azure.test:15000"

   • Because, if nonce includes in access token, validating signature with JWT.io or JWT SecurityToken won't success.

2. To solve the #1, we can add "[CLIENT_ID]/.default" in authorization endpoint of Azure AD.

3. However, the access token doesn't work for userinfo endpoint as a Bearer in the header of API request although the validation works.

   {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError": 
   {"date":"2022-10-15T07:13:25","request-id":"xxxx-xxx-xxx-xxx-xxxx","client-request-id":"xxxx-xxx-xxx-xxx-xxxx"}}}

4. To successfully get 200 response from the /userinfo endpoint, we either can remove the scope in the authorization endpoint or find to solve invalid audience.

References:

• https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/521#issuecomment-577400515
• https://stackoverflow.com/questions/45317152/invalid-signature-while-validating-azure-ad-access-token-but-id-token-works
• https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo
• https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/815
• https://authguidance.com/azure-active-directory-setup/
• https://authguidance.com/azure-ad-troubleshooting/

[shawnhankim]

Azure AD Access Token Types

There are two main types of Azure AD access token, summarised below, and our problem is that we are using the wrong type of token:

Audience | Description -- | -- Microsoft APIs | These contain a nonce field in the JWT header and are not designed for custom APIs such as ours to validate Custom APIs | Custom APIs need to get a token that can be validated, and we are not yet configured to enable this
If we get a token with a nonce field in the JWT header, then it is intended for Microsoft APIs to validate, and will always fail standard signature based validation.