Validate Entra ID Access Token #3644
Comments
balhar-jakub
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
balhar-jakub
added
enhancement
Problem:
During the testing of EntraID support in API ML, we found a few limitations that seem to be related only for this OIDC provider. It turned out, by default, EntraID returns access tokens with NONCE in the header which makes validation using JWK fail. It is possible to configure EntraID to produce an application-specific access token that is then possible to validate locally. https://xsreality.medium.com/making-azure-ad-oidc-compliant-5734b70c43ff This workaround has another limitation - it is not valid against Microsoft Graph API which is used by Cloud Gateway in the process of authenticating the user in the OIDC flow. This results in the OIDC flow failing and ending in the infinite loop.
Proposed solution:
Update the validation of the EntraID access token in the domain-level API ML to use the remote /userinfo endpoint for validation, which also returns the distributed ID required for further zOS user mapping.
curl --request GET
--url https://graph.microsoft.com/oidc/userinfo
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InFDbTJnSUlIQVlPYm8xWlpMNDRua29wR0Y0X2c0bXNxNkNHamg2QkVVNEEiLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xMTk0ZGYxNi0zYWUwLTQ5YWEtYjQ4Yi01YzRkYTZlMTM2ODkvIiwiaWF0IjoxNzE3NTc0NDA5LCJuYmYiOjE3MTc1NzQ0MDksImV4cCI6MTcxNzU3OTQ2NiwiYWNjdCI6MSwiYWNyIjoiMSIsImFpbyI6IkFVUUF1LzhXQUFBQU92N1ZrK2dXYmVFRnJJWHJSRG1GcHg5dWs5UWpYRTZjeHBMOTNsL1JrdVRxdnUxaUhaRjEvU2dGMHp6LzBnUUp5dEVnOTJ1ekMzakFSSjZhNHVOZVBBPT0iLCJhbHRzZWNpZCI6IjU6OjEwMDMyMDAzNUZGNTJCQjMiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IkNsb3VkIEdhdGV3YXkiLCJhcHBpZCI6IjI5YTQ0MmVhLWQzNmUtNGYyMy1iNzNiLWUwYThlMDU5YTkyYyIsImFwcGlkYWNyIjoiMSIsImVtYWlsIjoiYW5kcmVqLmNobWVsb0Bicm9hZGNvbS5jb20iLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yOGQ1YTY2My1mM2Q5LTQ0MTMtYjE4My0xMTQxMzEyYjQwNDgvIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiMTkyLjE5LjE3Ni4yMDkiLCJuYW1lIjoiQW5kcmVqIENobWVsbyIsIm9pZCI6Ijk0NGM0MjBhLWZlMGYtNDE1Yy04MTNlLWMyZGNmMjMwNDBmNiIsInBsYXRmIjoiNSIsInB1aWQiOiIxMDAzMjAwMzhBRTE5QzNFIiwicmgiOiIwLkFTMEFGdC1VRWVBNnFrbTBpMXhOcHVFMmlRTUFBQUFBQUFBQXdBQUFBQUFBQUFBdEFMWS4iLCJzY3AiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6InlkYXB5NWJaUm12bVBKSVRZS01vc2dOY3laaER2T1Z6aFBPenBRcHltSjgiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiIxMTk0ZGYxNi0zYWUwLTQ5YWEtYjQ4Yi01YzRkYTZlMTM2ODkiLCJ1bmlxdWVfbmFtZSI6ImFuZHJlai5jaG1lbG9AYnJvYWRjb20uY29tIiwidXRpIjoiTVRoSU5yMFhua2l0VDBMa2x6RVVBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMTNiZDFjNzItNmY0YS00ZGNmLTk4NWYtMThkM2I4MGYyMDhhIl0sInhtc19zdCI6eyJzdWIiOiItVEFqblhKdzByTGVRTWFRdzZWeUlUdmQyLTFGc1l3Nmc0UDNFQTRILTFRIn0sInhtc190Y2R0IjoxNDAyNTA3ODA5fQ.FFl_5ISYfqlhCi_2RERPgqkzFOrtEbbNOszp9SdHXk_paCjyqpm-pP6NDkfcRm-GqbdVwmEHEl9iyBeWek1_wMw0IfEVxlsNneKcNhGKLLlN24zr59Srgo5eI7ULrzRX2IeVBS8nmTOLl3iC6qEEBUA2sC1T-d65v5Aq8fay_LYqRS7X2Q__AxRNGgOdmUfPZjvWKm38vQkrk8VSWoft1VxvUJnNPYILKdiwcN3EJZxdKxGjBiOZMX0gCUwK1OUus2l8SZ6Kvm2slz5PAAChnnM5evOtYGiBrSaOe6PhdSn_sG8dc1nYSYB81ClKRItyMMIVWy6OaWCBet5hmI9v7g'
--header 'User-Agent: insomnia/8.4.5'
The text was updated successfully, but these errors were encountered: