Azure AD v1: Unable to verify JWT signature: no matching keys #133
Comments
|
Interesting thing to note... when I add the the It has the header/body but not the signature/footer component. It literally ends with a period before where the third section should be: |
|
So these are the JWKs URIs where go-oidc expects the keys. Can you give us a id_token that you expect to work (maybe an expired one)? Interesting that they're common keys, though the V2 endpoint returns the same thing.
That's really weird. Might be a bug on the kubectl auth provider end. |
|
Interesting thing is that both the as-is token and the I'll work on getting an expired token. |
|
@colemickens also those keys are expected to rotate. Might want to grab the keys from the keys endpoint when the token is considered valid. |
|
Oh well, this is awkward. That's the |
|
@ericchiang I'm being told that this is expected, as AADv1 is returning an unsigned Any thoughts on this? Maybe |
In the Kubernetes context, absolutely not. Kubernetes needs to verify the id_token from arbitrary source. If it's not signed then anyone can provide whatever id_token they want. |
|
Agreed. Also looks like the JWT client already exposes a way to do this, it would be a modification in the I guess I'll have to follow up internally on the |
|
Hi - we're seeing something that we think is related to this issue when trying to use Azure AD OIDC with kubernetes - we get this behaviour if I specify a refresh token or not though. We tried using the Here is an expired id_token: |
Your issuer is |
|
@ashb For AADv1, you need to use |
|
@colemickens maybe we should add some docs to the Kubernetes upstream docs :) |
|
@ericchiang I'd be very happy to contribute some upstream docs, but I'm trying to close the loop on a couple peculiarities around the AADv1/v2 implementations to understand which we should advise for k8s/oidc. In the meantime, for anyone else who winds up here, this may be applicable: https://github.com/colemickens/azure-ad-k8s-oidc-example But yes, I will plan to upstream the important Azure-y bits of that document to one of the OIDC/auth pages on kubernetes.github.io. |
|
@colemickens I'll try to add them if I have some free cycles too. Feel free to assign me if you get to them first. |
|
Thanks both of you. We got most of the way with the existing docs but ran into this error and were a little bit stumped. 👍 |
ericchiang
changed the title
ericchiang
changed the title
Hello. I'm looking for some troubleshooting help.
go-oidcdoesn't seem to play nice with Azure Active Directory v1 endpoints.Working: AADv2 endpoints (issuer=
https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47config=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/.well-known/openid-configuration) + Kubernetes + OIDCOnly partially working: AADv1 endpoints (issuer=
https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/, config=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/.well-known/openid-configuration) + Kubernetes + OIDCIf I only add an
id_tokenthen it uses it as-is and it works.If I also add the
refresh_tokenthen I get the verification error shown.I'm not sure where to look first. For the AADv1 endpoint, the issuer URL is:
https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/(trailing slash is important) which puts the OIDC config at:https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/.well-known/openid-configurationHow can I determine if this is a bug in
go-oidcor a bug in how AADv1 endpoints are configured?The text was updated successfully, but these errors were encountered: