Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correctly utilize JWT tokens instead of normal accessTokens for AzureAD #403

Closed
thebillkidy opened this issue Mar 24, 2019 · 1 comment
Closed
Assignees
Labels
bug
Milestone

Comments

@thebillkidy
Copy link
Contributor

@thebillkidy thebillkidy commented Mar 24, 2019

AzureAD requires you to utilize the JWT token when you provide a resource id. Currently the default behaviour in Bell is utilizing the non resource id configuration, making it fail on retrieving the User Credentials because this endpoint utilizes a non JWT authorization.

In more details:

Default:
Profile will be gotten through the current provider calling:

const profile = await get('https://login.microsoftonline.com/' + tenantId + '/openid/userinfo');

Resource ID:
When providing a resource id such as:

        providerParams: {
            resource: 'https://storage.azure.com/'
        }

An error will be thrown stating "InvalidAuthentication" because a JWT token is retrieved now rather than a normal token (see: https://stackoverflow.com/questions/28631635/cannot-access-openid-userinfo-endpoint-on-azure-aadsts90010-jwt-tokens-cannot)

Note: this JWT token should be compressed through GZIP seeing that the length can exceed 4096 which will bug every Set-Cookie implementation out there - see: https://github.com/jwtk/jjwt

This should be handled correctly, and in this case the JWT should be decoded and the user details should be retrieved from the JWT claim

Update 27/MAR: This should change to utilize the v2 endpoints to enable a correct handling for retrieving the user profile as well as changing the resource declaration to scopes

e.g. https://graph.microsoft.com/beta/me/ with access token

@AdriVanHoudt AdriVanHoudt self-assigned this Apr 2, 2019
@AdriVanHoudt

This comment has been minimized.

Copy link
Contributor

@AdriVanHoudt AdriVanHoudt commented Apr 2, 2019

Please post updates as new comments, this makes it easier to spot them ;)
Am I correct that this issues is solved with using azure ad v2 in #404 ?

@hueniverse hueniverse closed this Sep 13, 2019
@hueniverse hueniverse added this to the 11.0.0 milestone Sep 13, 2019
@hueniverse hueniverse added the bug label Sep 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.