Currently I’m struggling against MS Azure on_behalf_of flow and facing this error:
{
"error": "invalid_grant",
"error_description": "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: Correlation ID: Timestamp: 2024-09-25 10:37:05Z",
"error_codes": [
50013
],
"timestamp": "2024-09-25 10:37:05Z",
"trace_id": "",
"correlation_id": "",
"error_uri": "https://login.microsoftonline.com/error?code=50013"
}
What I’m doing:
- I’ve generated public and private keys with these commands:
$ openssl req -newkey rsa -new -nodes -x509 -days 3650 -pkeyopt rsa_keygen_bits:4096 -keyout key.pem -out cert.pem
$ openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
- I’ve uploaded the generated public key into Azure and now I have this in application’s Manifest:
"keyCredentials": [
{
"customKeyIdentifier": "IDENTIFIER",
"displayName": "app-name",
"endDateTime": "2034-09-22T09:20:28Z",
"key": null,
"keyId": "key-uuid",
"startDateTime": "2024-09-24T09:20:28Z",
"type": "AsymmetricX509Cert",
"usage": "Verify"
}
]
- I receive client assertion with
client_credentialsflow as
POST https://login.microsoftonline.com/my-app-tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=my-client-id
&client_secret=my-secret
&scope=api://my-client-id/.default
This works fine and returns me a token looking like:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "",
"kid": ""
}
{
"aud": "api://my-client-id",
"iss": "https://sts.windows.net/my-app-tenant-id/",
"iat": 1727252274,
"nbf": 1727252274,
"exp": 1727256174,
"aio": "",
"appid": "my-client-id",
"appidacr": "1",
"idp": "https://sts.windows.net/my-app-tenant-id/",
"oid": "some-value",
"rh": "",
"sub": "some-value",
"tid": "my-app-tenant-id",
"uti": "",
"ver": "1.0"
}
- Then I use the generated private key in order to sign
assertion. The assertion is used as
POST https://login.microsoftonline.com/my-app-tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=my-client-id
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=here-i-put-the-token-received-from-client-credentials-flow
&assertion=here-i-put-the-signed-assertion
&requested_token_use=on_behalf_of
&scope=api://my-client-id/default
Here’s my assertion before signing:
{
"iss" : "my-app-tenant-id",
"customerXRef" : "som-value",
"aud" : "https://login.microsoftonline.com/my-app-tenant-id/oauth2/v2.0/token"
}
And here’s how I sign it (the code works fine for OAuth with Gravitee):
String getToken() {
try {
var jwsHeader = new JWSHeader.Builder(alg)
.type(new JOSEObjectType(typ))
.keyID(kid) // here I put the same value as I have in `keyCredentials.keyId` above
.build();
var jwsObject = new JWSObject(jwsHeader, payload);
var privateKey = RsaKeyConverters.pkcs8().convert(new ByteArrayInputStream(this.privateKey));
var signer = new RSASSASigner(privateKey);
jwsObject.sign(signer);
return jwsObject.serialize();
} catch (JOSEException e) {
throw new RuntimeException(e);
}
}
My question is what am I doing wrong?
I looked into https://login.microsoftonline.com/error?code=50013 but didn’t find any clue.
P.S. Following advice from @juunas I’ve modified the header of my assertion to look like
{
"typ": "JWT",
"x5t#s256": "IDENTIFIER",
"alg": "RS256"
}
where IDENTIFIER is exactly the same value as keyCredentials.customKeyIdentifier but I still get The key was not found. error message
P.P.S. I’ve found out, that following https://login.microsoftonline.com/my-app-tenant-id/discovery/keys I don’t see the certificate I’ve uploaded. Any ideas?
3
It is not clear what your use case is. I assume you are trying to do this:
- User gets an access token with original scopes
- An API acts as an OAuth client, to swap the original token for another user level access token with different scopes
ORIGINAL TOKEN
In step 3 you get a machine level JWT access token and not a client assertion. Also be aware that it is not a user level token. which may affect behaviour.
CLIENT ASSERTIONS
A client assertion is a strong credential that you produce yourself with a JWT library and a private key. Here is the type of code you might use:
const assertion = await new SignJWT({
sub: clientID,
iss: clientID,
aud: 'http://login.example.com/oauth/v2/token',
jti: Guid.create().toString(),
scope: 'read',
})
.setProtectedHeader( {kid: keyId, alg: algorithm} )
.setIssuedAt(Date.now() - 30000)
.setExpirationTime(Date.now() + 30000)
.sign(privateJwk);
You then send it to the token endpoint instead of a client secret. The authorization server uses the public key to validate the assertion’s signature.
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=here-i-put-the-signed-assertion
But maybe try simplifying:
- First get the on behalf of flow working with a simple client secret
- Then update to a client assertion later
ON BEHALF OF FLOW
The other parameters are specific to the On Behalf Of flow. You supply the original user level access token in the assertion parameter.
POST https://login.microsoftonline.com/my-app-tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=my-client-id
&client_secret=xxx
&requested_token_use=on_behalf_of
&assertion=original_access_token
&scope=read
Once a client secret works you can switch back to a client assertion. You know then that any remaining issues are with the client assertion and not the on behalf of flow.
I think of the on behalf of flow as a User Assertion, whereas a Client Assertion is just a credential rather than a complete flow. A client assertion can be used in any flow that presents client credentials to the authorization server.