Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature validation error while doing an API call... #360

Open
Tompelo666 opened this issue Feb 10, 2025 · 4 comments
Open

Signature validation error while doing an API call... #360

Tompelo666 opened this issue Feb 10, 2025 · 4 comments
Labels
help wanted

Comments

@Tompelo666
Copy link

Hello,

I came across this implementation and I've been trying to solve my use case using it.

My use case is simplified as follows:

  1. Front end Angular application authenticates user using MSAL (OIDC)
  2. Azure issues the user an ID Token and Access Token.
  3. Access token is sent to DRF which is configured using this library

I've gotten pretty far already with the guides provided, mainly this one: https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html

What I'm struggling with is the access token validation. I have checked all that I can think of, but everything seems to check out configuration wise. I also tried to see past issues for clues, but didn't manage to find resolution.

What I have noticed:
I'm ONLY using the OIDC v2.0 endpoints, but I can see from the access token that it is actually the VERSION 1, which would kind of explain the verification error, because it is trying to verify it against the v2.0 JWKS endpoint...
I've also verified that the front-end application is also using only the v2.0 endpoints for OIDC. Currently I can't say what is forcing it to the v1.0 version...

Here is my settings.py

AUTH_ADFS = {
    "AUDIENCE": "api://e68a0282-****-****-****-***************",
    "CLIENT_ID": "e68a0282-****-****-****-***************",
    "CLIENT_SECRET": "** SECRET **",
    "USERNAME_CLAIM": 'upn',
    "TENANT_ID": "5d471751-****-****-****-***************",
    "RELYING_PARTY_ID": "api://e68a0282-****-****-****-***************",
    "PROXIES": {'http': '10.158.100.1:8080', 'https': '10.158.100.1:8080'},
    "LOGIN_EXEMPT_URLS": ['^$', '^admin', '^api'],
    "VERSION": "v2.0",
    "SCOPES": ["read", "api://e68a0282-****-****-****-***************/read"],
}

LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/"

My debug logs:

Backend fetches the OIDC config from the Azure tenant .well-known API:
==================================================

[2025-01-13 11:10:21] DEBUG config.load_config 212: Loading ID Provider configuration.
[2025-01-13 11:10:21] INFO config._load_openid_config 251: Trying to get OpenID Connect config from https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0/.well-known/openid-configuration?appid=e68a0282-****-****-****-***************
[2025-01-13 11:10:21] INFO config._load_openid_config 251: Trying to get OpenID Connect config from https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0/.well-known/openid-configuration?appid=e68a0282-****-****-****-***************
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] INFO config.load_config 232: Loaded settings from ADFS server.
[2025-01-13 11:10:22] INFO config.load_config 232: Loaded settings from ADFS server.
[2025-01-13 11:10:22] INFO config.load_config 233: operating mode:         openid_connect
[2025-01-13 11:10:22] INFO config.load_config 233: operating mode:         openid_connect
[2025-01-13 11:10:22] INFO config.load_config 234: authorization endpoint: https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/authorize
[2025-01-13 11:10:22] INFO config.load_config 234: authorization endpoint: https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/authorize
[2025-01-13 11:10:22] INFO config.load_config 235: token endpoint:         https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/token
[2025-01-13 11:10:22] INFO config.load_config 235: token endpoint:         https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/token
[2025-01-13 11:10:22] INFO config.load_config 236: end session endpoint:   https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/logout
[2025-01-13 11:10:22] INFO config.load_config 236: end session endpoint:   https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/logout
[2025-01-13 11:10:22] INFO config.load_config 237: issuer:                 https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0
[2025-01-13 11:10:22] INFO config.load_config 237: issuer:                 https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0
[2025-01-13 11:10:22] INFO config.load_config 238: msgraph endpoint:       graph.microsoft.com
[2025-01-13 11:10:22] INFO config.load_config 238: msgraph endpoint:       graph.microsoft.com


Front-end sends request to backedn API, but access token verification fails:
==================================================================================== 

[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/stabilityreport/latest_builds/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/stabilityreport/latest_builds/
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50408 - "GET /api/v1/swrelease/?nested=1&report_exist HTTP/1.1" 401
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50426 - "GET /api/v1/stabilityreport/latest_builds/ HTTP/1.1" 401
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/testarea/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/testarea/
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50420 - "GET /api/v1/testarea/ HTTP/1.1" 401
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/

Any idea where I should look next?
@Tompelo666
Copy link
Author

Still looking to get some guidance on this topic if possible. :(

@tim-schilling
Copy link
Member

Have you walked through why the signature verification fails? I would start there. Once you understand which part of the JWT is invalid, then it's easier to search the internet for and understand why that's not happening.

@Tompelo666
Copy link
Author

Thank you for answering!

I'm sure it has something to do with this what I mentioned:
"I'm ONLY using the OIDC v2.0 endpoints, but I can see from the access token that it is actually VERSION 1, which would kind of explain the verification error, because it is trying to verify it against the v2.0 JWKS endpoint..."

As the access token is - for some unknown reason - v1 instead of v2 and it is trying to verify it against this endpoint:
https://login.microsoftonline.com/**TENANT ID**/discovery/v2.0/keys

This logically leads to an error as V1 should verify the token against this JWKS endpoint: https://login.microsoftonline.com/common/discovery/keys

I have also tried to change the "accessTokenAcceptedVersion" in the Azure application manifest to "2", but it didn't have any effect on this...

@tim-schilling
Copy link
Member

At this point, this appears to be an issue with the specific configuration rather than the library. I'm sorry, but I don't have the availability to help you debug that type of problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tim-schilling @Tompelo666