Openid problem to get Access token from Azure with aud claim set for api permission

[markusg80]

I have following scenario. I have one web app running with payara 5.2021.6 wich gets a access token from azure with openid connect, Then i hgave second web app with rest api running also on payara 5.2021.6. On the web app with the rest api i have an exposed api with the following id (api://433c6e0f-8762-4e14-af2e-c6b568724312/rest_access). on the web app i use the new Bearer authentication with Azure and when i connect with my android application everythin works great. i can also run the query with postman and scope value set to api://433c6e0f-8762-4e14-af2e-c6b568724312/rest_access. And also there everything works fine. but when i try to get an access token in my second web app i following error:

java.lang.IllegalStateException: [433c6e0f-8762-4e14-af2e-c6b568724312/All.Write scope is not supported by https://login.microsoftonline.com/7be21829-23c6-4bf2-b4ed-30b2a5d35546/v2.0 OpenId Connect provider] at fish.payara.security.openid.controller.ConfigurationController.validateConfiguration(ConfigurationController.java:276) at fish.payara.security.openid.controller.ConfigurationController.buildConfig(ConfigurationController.java:261) at fish.payara.security.openid.controller.ConfigurationController.produceConfiguration(ConfigurationController.java:100) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:95) at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:85) at org.jboss.weld.injection.producer.ProducerMethodProducer.produce(ProducerMethodProducer.java:103) at org.jboss.weld.injection.producer.AbstractMemberProducer.produce(AbstractMemberProducer.java:161) at org.jboss.weld.bean.AbstractProducerBean.create(AbstractProducerBean.java:180) at org.jboss.weld.contexts.AbstractContext.get(AbstractContext.java:96) at org.jboss.weld.bean.ContextualInstanceStrategy$DefaultContextualInstanceStrategy.get(ContextualInstanceStrategy.java:100) at org.jboss.weld.bean.ContextualInstanceStrategy$CachingContextualInstanceStrategy.get(ContextualInstanceStrategy.java:177) at org.jboss.weld.bean.ContextualInstance.get(ContextualInstance.java:50) at org.jboss.weld.bean.proxy.ContextBeanInstance.getInstance(ContextBeanInstance.java:102) at org.jboss.weld.bean.proxy.ProxyMethodHandler.getInstance(ProxyMethodHandler.java:131) at fish.payara.security.openid.domain.OpenIdConfiguration$Proxy$_$$WeldClientProxy.buildRedirectURI(Unknown Source) at fish.payara.security.openid.OpenIdAuthenticationMechanism.authenticate(OpenIdAuthenticationMechanism.java:291) at fish.payara.security.openid.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:206) at fish.payara.security.openid.OpenIdAuthenticationMechanism$Proxy$$$WeldClientProxy.validateRequest(Unknown Source) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38) at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:106) at org.jboss.weldx.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism$117851612$Proxy$$$_WeldClientProxy.validateRequest(Unknown Source) at org.glassfish.soteria.mechanisms.jaspic.HttpBridgeServerAuthModule.validateRequest(HttpBridgeServerAuthModule.java:151) at org.glassfish.soteria.mechanisms.jaspic.DefaultServerAuthContext.validateRequest(DefaultServerAuthContext.java:76) at com.sun.web.security.realmadapter.JaspicRealm.validateRequest(JaspicRealm.java:391) at com.sun.web.security.realmadapter.JaspicRealm.validateRequest(JaspicRealm.java:358) at com.sun.web.security.realmadapter.JaspicRealm.validateRequest(JaspicRealm.java:181) at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:487) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:468) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:726) at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:581) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:371) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:182) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:156) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:218) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549) at java.base/java.lang.Thread.run(Thread.java:829)

my AzureAuthenticationDefinition is this: @AzureAuthenticationDefinition( clientId = "xxxxxxxx-xxxx-xxxx-856d-0df599a8eb34", clientSecret = "****", claimsDefinition = @ClaimsDefinition( callerGroupsClaim = "roles", callerNameClaim = "unique_name" ), tokenAutoRefresh = true, tenantId = "7be21829-23c6-4bf2-b4ed-30b2a5d35546", redirectURI = "https://poc.cslive-its.ch:9191/resttest-client/Callback", scope = {"api://433c6e0f-8762-4e14-af2e-c6b568724312/All.Write"} ) I guess that there is somewhere a logic behind the scene wich destroyes my scope values. But this scope is important to call the api in behalf of the user and get the permissions.

[MeroRai]

Hi @markusg80, please, can you provide a simple to follow scenario on how to reproduce this on the latest release of Payara Community Edition? A reproducer should ideally follow the SSCCE rules: http://www.sscce.org/. It will greatly help us to find the cause and fix it.

[markusg80]

Yes i will provide this this week.

[markusg80]

So @MeroRai i think its little bit difficult to give you an sscce example, because you don't have access to my Azure Api. Also i cannot share this to you. So i can send you the source code of my poc app. But i don't think this will provide additional input to you. The main information of this poc is already provided within the issue description. So maybe you can give me an hint where i can find the code wich is creating the diffrent request url to authorization, token and userinfo endpoint. because i already created the request with postman and there i recieve a valid token and with this i was able to access my rest api.

[markusg80]

This is solved with 5.2021.10