Signature verification failed

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD

http://django-auth-adfs.readthedocs.io/

BSD 2-Clause "Simplified" License

272 stars 99 forks source link

Signature verification failed #260

Closed chiragkanhasoftdev closed 1 year ago

chiragkanhasoftdev commented 1 year ago

Hey

I have followed this link to generate Frontend and Backend app https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html and from #259

Do i have to use same client_id for Frontend and Backend?

I have below configuration in my backend.

But when i call API for validate auth_token from Frontend, i am receiving below error.

I have also tried web and SPA within same app

Upvote & Fund

We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.

chiragkanhasoftdev commented 1 year ago

Signature varification not failed if i send id_token, but when i see token in https://jwt.ms/ then found that access_token has two extra keys nonce and x5t. Do this keys cause issue?

I set jwt decode option and its decoding as per below screenshot. Here aud, iss are not match, and i think thats the issue. if i change access_token to id_token then i didn't able to extract given_name , family_name and upn

JonasKs commented 1 year ago

You must use the access token.

Seems like your token is for graph (the audience is for graph), so that won’t work.

JonasKs commented 1 year ago

Which token you get will often be correlated to the scope you’re using. Ensure the scope is correct.

chiragkanhasoftdev commented 1 year ago

Here is the scope that i have in my Reactjs app

export const loginRequest = {
    scopes: ["User.Read"]
};

Here is the scope which defined in my app

chiragkanhasoftdev commented 1 year ago

exactly which permission i have to use in order to resolve this issue? My requirement is simple, sign in and read user profile data

JonasKs commented 1 year ago

You need to also have the scope for your backend app. It’ll be something like:

export const loginRequest = {
    scopes: [api://<clientid>/.default, "User.Read"]
};

Maybe my FastAPI documentation (which is more recent and 100% Azure focused) will clear things up: https://intility.github.io/fastapi-azure-auth/single-tenant/azure_setup

JonasKs commented 1 year ago

In that app we create a custom scope (which you can do to, or use the default one), and then we ensure the SPA requests a token for that scope: https://intility.github.io/fastapi-azure-auth/single-tenant/fastapi_configuration#implementing-fastapi-azure-auth

It's important to note that you'll most likely not need the User.Read etc, if you want to fetch additional data from Graph that can be done through the OBO flow.

chiragkanhasoftdev commented 1 year ago

Thanks @JonasKs , issue resolved. Thanks for your help.

JonasKs commented 1 year ago

Good to hear that! You’re welcome 😊

guillaumeldc commented 1 year ago

I have the exact same issue. @chiragkanhasoftdev could you please let me know the steps you took to solve this?