access_token vs id_token

[GRRedWings]

I'm struggling a little bit trying to make sure that my application covers the full standard. I have found that certain Azure configurations do not always return an id_token. With this I am trying to implement a solution where I use the access_token.

In doing so, I'm not having a lot of luck with Apache and mod_oauth2 allowing me to pass the access token in the request and authorize access. This configuration works if I pass the id_token.

So in Apache I have configured my location as such
` Require valid-user
AuthType oauth2

     Require oauth2_claim iss:https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0
     OAuth2TokenVerify jwks_uri https://login.microsoftonline.com/${AZURE_TENANT_ID}/discovery/v2.0/keys verify.iat=skip

`
I pass the access token, which is JWT. But the request is denied with a 401 and I see this in the logs

127.0.0.1 - UV8H6gkC7AAIVBWwVSVFrBBAg6Qb4JU_YLeEbuyKEeo [30/Aug/2023:19:59:41 +0000] "POST /me/security/secure/generateJwt HTTP/1.1" 200 974 [Wed Aug 30 20:03:59.087431 2023] [oauth2:error] [pid 10:tid 140475671496448] [client 127.0.0.1:56416] oauth2_jose_jwt_verify: cjose_jws_import failed: invalid argument

Is it not possible to use access_token to authenticate? Do I need to configure the location different?

[zandbelt]

see this page, https://learn.microsoft.com/en-us/answers/questions/793793/azure-ad-validate-access-token also including the warning about not relying on the MS specifics, for sure the signing key location is different from the ID token/OIDC signing key location; the access token JWT may also be encrypted; you'll also need to use OpenIDC/liboauth2@387419f if you want to find out the exact cause of the cjose_jws_import error but in general I'd argue you should not go this route for access tokens issued by an Authorization Provider that is not controlled by you

[GRRedWings]

In regards to the article, I am probably missing something but I have configured the .well-known against the v2.0 like the question, and similar to the response from Microsoft I'm using the keys endpoint as they describe.
OAuth2TokenVerify jwks_uri https://login.microsoftonline.com/${AZURE_TENANT_ID}/discovery/v2.0/keys?appid=${AZURE_CLIENT_ID}
But I get the same result. Is there some detail I'm missing? I again tested if I set the bearer token to the access_token it fails, but if I use the id_token from the Auth response it passes. I also verified that with my Keycloak environment I'm able to use the Access Token

The other thing to note, the access_token and id_token are both JWTs.

Also, am I correct that no mod_oauth2 binaries have been created yet for this? I'll want to build that and mod_oauth2 myself to use this at the present time?

[zandbelt]

Also, am I correct that no mod_oauth2 binaries have been created yet for this? I'll want to build that and mod_oauth2 myself to use this at the present time?

yes indeed

[GRRedWings]

I hate to keep bugging, you, but I guess would you expect me to be able to use the access_token as a means of authenticating with the library?

[zandbelt]

you'll need to build liboauth2 then deploy it with your existing mod_oauth2 (replacing the libauth2 binary installed version)

[GRRedWings]

The error I get with the updated lib_auth
_oauth2_jose_jwt_verify_jwk: cjose_jws_verify failed: [\liboauth2\cjose\src\jws.c:959 _cjose_jws_verify_sig_rs error:02000068:rsa routines::bad signature]

I'm done a little searching online, appears it could be SSL related, but I'm not getting lot of info that makes sense to me.

[zandbelt]

you must be using the wrong key then, the one used for signing id_token's is not necessarily the same one that is used for signing access tokens; you'll have to find it in the MS docs somewhere

[GRRedWings]

When you say key, what are you referring? The jwks_uri?
"jwks_uri": "https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys",

In Postman I was able to take the access token and get a valid response against the user info endpoint without issue.

I also use mod_auth_openidc in my solution and with the v2.0 .well-known that works as well.

Is it possible i need to configure something different for this library?

[GRRedWings]

Maybe you can help me clear mis-understanding up.

Would you expect me to be able to authenticate a oauth2 against a jwks_uri with an access token? This comment below makes me wonder if I'm mis-understanding the tokens. That the ID Token must be used in this scenario as authentication

it is important that the resource server (your server-side application) accepts only the access token from a client. This is because access tokens are intended for authorizing access to a resource. ID Tokens, on the other hand, are intended for authentication.

[gibsonxavier]

Hi,
I have a similar use case and i am facing the same issue.
_oauth2_jose_jwt_verify_jwk: cjose_jws_verify failed: [jws.c:953 _cjose_jws_verify_sig_rs error:04091068:rsa routines:int_rsa_verify:bad signature]

[gibsonxavier]

Hi,
i was able to solve this, it was an issue with the scope that i was using to fetch the token. Instead of using api://XXXXXXX/.default i was using https://graph.microsoft.com/.default to fetch the token,
After using the token with correct scope the validation and authorization is now working.

[GRRedWings]

I'm trying to understand what exactly you used to get it to work. In reading this MS article https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc it seems like something along the lines of https://my-server-name/.default would work.

I've also tried passing the scope of "scope=https://my-server-name/.default" and that didn't work. Is there some other place I should be setting this other than the scope?

[gibsonxavier]

I think there may be some difference as I am using client_credentials grant type. I also had to get the client app Id added to Users & Groups of the Server/API app in the Azure portal.

Since in my case resource server/ scope and the client was the same, it was adding the app-id of the registered app itself to the Users & Groups. In other cases you may need register the client app and then add the client app-id to the users & groups of the server/api app-id

[GRRedWings]

Thanks for the help and push. I believe I have it working with a nudge from your input. I think for me is that I now realize I had a poor understanding of what I was doing, and had not exposed the API at all. By adding a scope and a client application in my Enterprise application I think that opened the door to allow the library to validate it.