Replies: 3 comments
-
Honestly, I gave up keeping samples with Microsoft. Everything changed since the last time I got it working (not so long ago), up-to-date documentation is hard to find, translations to French (my native language) are a disaster (I have to force each page back to English to get a chance to understand it), and their implementation of the standard is, as always, quite interpretative. As a cloud provider, I have a personal preference for Auth0 that I find much better documented... All I can give are some general considerations for all cloud OpenID Providers:
|
Beta Was this translation helpful? Give feedback.
-
Hi again, My OpenID configuration for When I use the URIs listed there to get an access token with Postman, I get a JWT access token. So far so good. But when I inspect this access token payload, I can see it has It would be worth opening a ticket at Microsoft Entra support to fix the issuer in the tokens delivered when using The OpenID configuration for You could also investigate further to figure out how to have Microsoft issue JWTs when using the issuer URI they set as Another option would be to configure the Last, you could use an OpenID provider following the standard and providing the right |
Beta Was this translation helpful? Give feedback.
-
Hello and Thank you for you insights. My Openid configuration is https://119795fe-f178-444f-ae7a-14cbcc173d64.ciamlogin.com/119795fe-f178-444f-ae7a-14cbcc173d64/v2.0/.well-known/openid-configuration Oauth2 and Spring security is quite new for me so I'm learning on the go. I dig further into this and here are my findings: When I get access token for scopes We then send this access token to API/resource server when frontend do API call through bff. In the API the validation fails (as resource server has to validate it) as expected because this access token is not supposed to be used for custom APIs. Validation fails also at https://jwt.io To get a valid JWT ID token I figured out that I have to get access token for my custom API scope only Sources that refers to this issue: I was not able to figure out what is supposed to be the correct approach here and how to set it up (with spring security and/or spring-addons). I have thought of 2 possibilities:
I found there exists the spring boot starter for Entra ID spring-cloud-azure-starter-active-directory that possibly I hope may solve this issue but I was not able to get it working with spring-addons. I tried to disable spring.security.oauth2.client and enable instead spring.cloud.azure.active-directory, with no luck yet. |
Beta Was this translation helpful? Give feedback.
-
I am trying to configure Azure Entra ID External in the setup based on BFF tutorial from Baeldung (https://www.baeldung.com/spring-cloud-gateway-bff-oauth2)
I believe I am struggling with the correct configuration for Azure. Tried a lot of different variants.
Now I have this config in bff:
After successful login and redirect, the call to API is getting JWT of type designated for Microsoft Graph API (with nonce field in the header). My custom API fails to validate it and throw error: Signed JWT rejected: Invalid signature
So I figured I probably need to create and use custom API scope instead so my backend API can validate it.
However when I change the scope to contain only my custom application API scope:
scope: api://{app id url}/Account.Manage
BFF Oauth2 client gets token and than fails with 401 UNAUTHORIZED from GET https://graph.microsoft.com/oidc/userinfo and redirect ends on error page with: An error occurred reading the UserInfo response: [invalid_user_info_response]
I believe it is expected to fail because this time it has JWT designated for my custom API (that would eventually validate signature OK in my API I think, but I cannot get through the userinfo).
What should be the correct approach here? Disable Oauth2 client to call userinfo? If so how can I achieve this?
I would really appreciate advice how to get from here.
Beta Was this translation helpful? Give feedback.
All reactions