JWT Authentication Failure with MS-Graph Integration

[iacob28]

Issue Description

Summary

After upgrading Wazuh from version 4.7 to version 4.8 using the "Keeping custom docker-compose files" method, we have integrated MS-Graph for the first time. Since the integration, we are encountering repeated authentication failures. The errors indicate that the JWT token used for authentication is not well-formed.

Logs

The following warnings are repeatedly logged:

2024/06/20 10:47:57 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'alerts_v2' logs: Status code was '401' & response was '{"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.).\nThe token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'.","innerError":{"date":"2024-06-20T10:47:57","request-id":"1bcf901f-9b6c-42e8-9b82-eb7201a52405","client-request-id":"1bcf901f-9b6c-42e8-9b82-eb7201a52405"}}}'

2024/06/20 10:47:58 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'incidents' logs: Status code was '401' & response was '{"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.).\nThe token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'.","innerError":{"date":"2024-06-20T10:47:58","request-id":"776545c5-3d17-421a-8cb7-af94e1e6efd7","client-request-id":"776545c5-3d17-421a-8cb7-af94e1e6efd7"}}}'

2024/06/20 10:48:00 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'secureScores' logs: Status code was '401' & response was '{"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.).\nThe token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'.","innerError":{"date":"2024-06-20T10:48:00","request-id":"0abb2f7b-74b0-4aed-a14b-3aa118857c26","client-request-id":"0abb2f7b-74b0-4aed-a14b-3aa118857c26"}}}'

2024/06/20 10:48:02 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'signIns' logs: Status code was '401' & response was '{"error":{"code":"InvalidAuthenticationToken","message":"IDX14100: JWT is not well formed, there are no dots (.).\nThe token needs to be in JWS or JWE Compact Serialization Format. (JWS): 'EncodedHeader.EndcodedPayload.EncodedSignature'. (JWE): 'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag'.","innerError":{"date":"2024-06-20T10:48:02","request-id":"df3f70db-8413-4149-be22-053f55238eb1","client-request-id":"df3f70db-8413-4149-be22-053f55238eb1"}}}'

Environment Details

• Wazuh Version: 4.8
• Docker: Yes
• Upgrade Method: Keeping custom docker-compose files
• Previous Version: 4.7

Steps to Reproduce

1. Integrate Wazuh with MS-Graph.
2. Monitor the logs for authentication errors.

Expected Behavior

The JWT tokens should be correctly formatted and authenticated, allowing for successful API calls.

Actual Behavior

The JWT tokens are reported as not well-formed, leading to authentication failures with status code 401.

Additional Information

The integration with MS-Graph was implemented after the upgrade to version 4.8, so it's unclear if this issue would have existed in version 4.7.

Suggested Solutions

• Verify the JWT token generation process within the MS-Graph integration.
• Check for any configuration issues that might lead to the improper formation of JWT tokens.
• Review any changes or requirements in the MS-Graph authentication process that might have been introduced in Wazuh v4.8.

Request for Assistance

Please provide guidance on how to resolve the JWT token formatting issue with the MS-Graph integration post-upgrade. If additional logs or information are required, I will be happy to provide them.

Thank you!

[iacob28]

Here is the full debug log PS: the data is randomize. All the UUIDs are replaced with random consistent data wazuh_debug_obfuscated.txt