Azure AD and private_key_jwt - how to make it work

[juur]

Hi,

I cannot get private_key_jwt to work with Azure AD. I started with a working configuration using OIDCClientSecret, but when shifting to private_key_jwt I get errors back from Azure:

oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxx'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxx'].\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2021-12-19 14:50:17Z""

I tried using curl manually with the same certificate & key combination and it worked.

My configuration is as below. The customKeyIdentifier in Azure matches the fingerprint of the X.509 certificate.

OIDCCryptoPassphrase "xxx"
OIDCPublicKeyFiles "aad-sp-xxx.crt"
OIDCPrivateKeyFiles "aad-sp-xxx.key"
OIDCClientID "xxx"
OIDCProviderMetadataURL "https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration"
OIDCRedirectURI "https://xxx/redirect_uri"
OIDCProviderTokenEndpointAuth private_key_jwt
OIDCResponseType code
OIDCScope "openid email"
OIDCRemoteUserClaim "email"
OIDCInfoHook userinfo id_token refresh_token iat
OIDCPassIDTokenAs serialized
OIDCPassUserInfoAs claims
OIDCPassClaimsAs headers
OIDCStateMaxNumberOfCookies 7 true

Looking at the logging, it appears that mod_auth_openidc is sending a client_assertion of the form:

{
  "alg": "RS256",
  "kid": "xxx"
}
.
{
  "iss": "xxx",
  "sub": "xxx",
  "aud": "https://login.microsoftonline.com/xxx/oauth2/v2.0/token",
  "jti": "xxx",
  "exp": 1639925477,
  "iat": 1639925417
}

Whereas, according to Azure documentation is expecting:

{
  "alg": "RS256",
  "typ": "JWT",
  "x5t": "xxx"
}
.
{
  "aud": "https: //login.microsoftonline.com/xxx/oauth2/v2.0/",
  "exp": 1484593341,
  "iss": "xxx",
  "jti": "xxx",
  "nbf": 1484592741,
  "sub": "xxx"
}

The differences being: x5t instead of kid, missing typ, token missing from end of aud.

Does this mean that mod_auth_openidc is not compatible with Azure AD for private_key_jwt?
Or is there some way to configure either Azure or mod_auth_openidc to work?

[zandbelt]

both mod_auth_openidc and Azure AD are certified implementations of OpenID Connect including their usage of private_key_jwt; it looks like you've not correctly configured the verification key for you mod_auth_openidc client instance in Azure AD

[juur]

I am not sure that is correct.

The Microsoft documentation clearly stats "x5t" is required in the header and mod_auth_openidc sends "kid" - I am not an expert on JWT so I don't know how significant that is, but it is different.

To test this, I took the HTTP request from the Apache debug logs (oidc_util_http_call: url=) and constructed a curl command line that did the same thing. This gives the same error - AADSTS700027: Client assertion contains an invalid signature - so is a replica.

I then put the client_assertion= data into an online JWT encoder/decoder. Uploaded the same certificate that is in Azure and in Apache OIDC config. I changed the header to contain "x5t" and took the SHA1 fingerprint base64 encoded, as per Microsoft docs.

After making this change, and only changing the client_assertion= block of curl, it works.

Some additional background:

##Remove existing AD cert
az ad sp credential delete --cert --id "xxx" --key-id "xxx"
##Add new cert
az ad sp credential reset -n "xxx" --append --cert "@aad-sp.crt"
##Curl command
curl -X POST \
'https://login.microsoftonline.com/xxx/oauth2/v2.0/token' \
-d 'grant_type=authorization_code' \
-d 'code=xxx' \
-d 'redirect_uri=xxx' \
-d 'state=xxx' \
-d 'client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer' \
-d "client_assertion=${JWT}"

[zandbelt]

please try

diff --git a/src/jose.c b/src/jose.c
index 9423500..c2f3cbb 100644
--- a/src/jose.c
+++ b/src/jose.c
@@ -881,6 +881,9 @@ apr_byte_t oidc_jwt_sign(apr_pool_t *pool, oidc_jwt_t *jwt, oidc_jwk_t *jwk,
        if (jwt->header.enc)
                oidc_jwt_hdr_set(jwt, CJOSE_HDR_ENC, jwt->header.enc);
 
+       if (jwk->x5t)
+               oidc_jwt_hdr_set(jwt, "x5t", jwk->x5t);
+
        if (jwt->cjose_jws)
                cjose_jws_release(jwt->cjose_jws);
 

I believe it does not harm to add it by default. The overhead is not that large and receivers should ignore it if they don't know how to handle it.

[juur]

jwk->x5t appears to be NULL

[zandbelt]

ah, I was too quick indeed: this attribute would only be set by parsing a public key; I'll need to wrap my head around setting the x5t on the private key object that is used for signing

[juur]

It might be worth checking through the specifications around "kid" vs "x5t". From a quick read where there is no JWK (which I think is correct in this situation) "kid" is undefined.

[zandbelt]

there's a JWK generated from the cert that has a kid and it is published by mod_auth_openidc; however, when the configuration is done statically with the cert in Azure AD then the kid may not make sense and should be ignored

[zandbelt]

this should be better:

diff --git a/src/jose.c b/src/jose.c
index 9423500..ee1f25f 100644
--- a/src/jose.c
+++ b/src/jose.c
@@ -880,6 +880,8 @@ apr_byte_t oidc_jwt_sign(apr_pool_t *pool, oidc_jwt_t *jwt, oidc_jwk_t *jwk,
                oidc_jwt_hdr_set(jwt, CJOSE_HDR_KID, jwt->header.kid);
        if (jwt->header.enc)
                oidc_jwt_hdr_set(jwt, CJOSE_HDR_ENC, jwt->header.enc);
+       if (jwt->header.x5t)
+               oidc_jwt_hdr_set(jwt, OIDC_JOSE_JWK_X5T_STR, jwt->header.x5t);
 
        if (jwt->cjose_jws)
                cjose_jws_release(jwt->cjose_jws);
diff --git a/src/jose.h b/src/jose.h
index 5bbc20f..96773b5 100644
--- a/src/jose.h
+++ b/src/jose.h
@@ -204,6 +204,8 @@ typedef struct oidc_jwt_hdr_t {
        char *kid;
        /* JWT "enc" claim value; encryption algorithm */
        char *enc;
+       /* JWT "x5t" thumbprint */
+       char *x5t;
 } oidc_jwt_hdr_t;
 
 /* parsed JWT payload */
diff --git a/src/proto.c b/src/proto.c
index a9b79c4..b689255 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -1866,13 +1866,11 @@ static apr_byte_t oidc_proto_endpoint_access_token_bearer(request_rec *r,
 
 #define OIDC_PROTO_JWT_ASSERTION_ASYMMETRIC_ALG CJOSE_HDR_ALG_RS256
 
-static apr_byte_t oidc_proto_endpoint_auth_private_key_jwt(request_rec *r,
-               oidc_cfg *cfg, const char *client_id,
-               const apr_array_header_t *client_signing_keys, const char *audience,
+static apr_byte_t oidc_proto_endpoint_auth_private_key_jwt(request_rec *r, oidc_cfg *cfg,
+               const char *client_id, const apr_array_header_t *client_signing_keys, const char *audience,
                apr_table_t *params) {
        oidc_jwt_t *jwt = NULL;
        oidc_jwk_t *jwk = NULL;
-       const apr_array_header_t *signing_keys = NULL;
 
        oidc_debug(r, "enter");
 
@@ -1880,18 +1878,20 @@ static apr_byte_t oidc_proto_endpoint_auth_private_key_jwt(request_rec *r,
                return FALSE;
 
        if ((client_signing_keys != NULL) && (client_signing_keys->nelts > 0)) {
-               signing_keys = client_signing_keys;
+               jwk = ((oidc_jwk_t**) client_signing_keys->elts)[0];
+               jwt->header.x5t = apr_pstrdup(r->pool, jwk->x5t);
        } else if ((cfg->private_keys != NULL) && (cfg->private_keys->nelts > 0)) {
-               signing_keys = cfg->private_keys;
+               jwk = ((oidc_jwk_t**) cfg->private_keys->elts)[0];
+               if (cfg->public_keys->nelts > 0)
+                       // populate x5t; at least required for Azure AD
+                       jwt->header.x5t =
+                                       apr_pstrdup(r->pool, ((oidc_jwk_t**) (cfg->public_keys->elts))[0]->x5t);
        } else {
-               oidc_error(r,
-                               "no private keys have been configured to use for private_key_jwt client authentication (" OIDCPrivateKeyFiles ")");
+               oidc_error(r, "no private keys have been configured to use for private_key_jwt client authentication (" OIDCPrivateKeyFiles ")");
                oidc_jwt_destroy(jwt);
                return FALSE;
        }
 
-       jwk = ((oidc_jwk_t**) signing_keys->elts)[0];
-
        jwt->header.kid = apr_pstrdup(r->pool, jwk->kid);
        jwt->header.alg = apr_pstrdup(r->pool, CJOSE_HDR_ALG_RS256);
 

[juur]

Seems to work!

[zandbelt]

great, thanks for your feedback, I'll incorporate this patch in master later today so it will be in the next release