• State Verified Answer
  • Replies 6 replies
  • Subscribers 95 subscribers
  • Views 3576 views
  • Users 0 members are here
Options
Related

JWT validation error with AzureAD on Web Portal authentication v 8.1.3

mgupta9
over 4 years ago

We are using v8.1.3 and configured OAuth authentication module with Azure IDP for web portal. In the logs, we are seeing that idtoken has been acquired but it is failing at token verification error.

Certificate: Using JWK endpoint configured in the identity provider.
2020-09-30 11:49:58.3560 TRACE ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Getting JSON Web Keys from URL login.microsoftonline.com/.../keys
2020-09-30 11:49:58.4810 TRACE ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Got following certificate from JWK:
ID: "jibNbkFSSbmxPYrN9CFqRk4K4gw"
ID: "jibNbkFSSbmxPYrN9CFqRk4K4gw"
ID: "kg2LYs2T0CTjIfj4rt6JIynen38"
ID: "kg2LYs2T0CTjIfj4rt6JIynen38"
ID: "M6pX7RHoraLsprfJeRCjSxuURhc"
ID: "M6pX7RHoraLsprfJeRCjSxuURhc"
ID: "18pnMg3UmrWvBK_tkDAbjgM5CmA"
ID: "18pnMg3UmrWvBK_tkDAbjgM5CmA"

2020-09-30 11:49:58.4810 TRACE ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Scope value 'openid' found -> using Open ID Connect
2020-09-30 11:49:58.4810 TRACE ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Got id_token, verifying it.
2020-09-30 11:49:58.4810 ERROR ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Messages from token validation:
[Informational]9/30/2020 3:49:58 PM IDX12716: Decoding token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' into header, payload and signature.
[Informational]9/30/2020 3:49:58 PM IDX10242: Security token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' has a valid signature.
[Informational]9/30/2020 3:49:58 PM IDX10239: Lifetime of the token is valid.
[Informational]9/30/2020 3:49:58 PM IDX10234: Audience Validated.Audience: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Informational]9/30/2020 3:49:58 PM IDX10236: Issuer Validated.Issuer: 'login.microsoftonline.com/.../v2.0'
[Informational]9/30/2020 3:49:58 PM IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.

2020-09-30 11:49:58.4810 ERROR ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Failed to verify token. System.FormatException: Input string was not in a correct format.
at System.Text.StringBuilder.FormatError()
at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.Format(IFormatProvider provider, String format, Object[] args)
at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteInformation(String message)
at Microsoft.IdentityModel.Logging.LogHelper.LogInformation(String message, Object[] args)
at Microsoft.IdentityModel.Tokens.TokenValidationParameters.CreateClaimsIdentity(SecurityToken securityToken, String issuer)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateClaimsIdentity(JwtSecurityToken jwtToken, String issuer, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at QER.OAuthAuthentifier.OAuth._ValidateToken(String token, String issuerName, String clientId, String nonce, Boolean openid, IEnumerable`1 signingKeys, Boolean showPiiInLog) at System.Text.StringBuilder.FormatError()
at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.Format(IFormatProvider provider, String format, Object[] args)
at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteInformation(String message)
at Microsoft.IdentityModel.Logging.LogHelper.LogInformation(String message, Object[] args)
at Microsoft.IdentityModel.Tokens.TokenValidationParameters.CreateClaimsIdentity(SecurityToken securityToken, String issuer)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateClaimsIdentity(JwtSecurityToken jwtToken, String issuer, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at QER.OAuthAuthentifier.OAuth._ValidateToken(String token, String issuerName, String clientId, String nonce, Boolean openid, IEnumerable`1 signingKeys, Boolean showPiiInLog)
2020-09-30 11:49:58.4810 ERROR ( ObjectLog 5gyeswz33q0uvh1psa5msp2l) : Failed to authenticate user using OAuth2/Open ID Connect. System.FormatException: Input string was not in a correct format.
at System.Text.StringBuilder.FormatError()

Parents Reply
  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus. It worked after disabling the suggested config.

    One more thing: OneIdentity documents doesn't clearly specific claims workflow between userinfo endpoint vs id_token. I struggled to understand the entire flow, so sharing in the forum:

    1. When userinfo endpoint is left blank, one identity picks claims from id_token and use to authenticate users

    2. When userinfo endpoint has a value, even if you add a claim in id_token, those claims won't be use to search users in DB. Discovery endpoint auto-populate this value so please review.

    Thanks again.

Children