You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the testing of EntraID support in API ML, we found a few limitations that seem to be related only for this OIDC provider. It turned out, by default, EntraID returns access tokens with NONCE in the header which makes validation using JWK fail. It is possible to configure EntraID to produce an application-specific access token that is then possible to validate locally. https://xsreality.medium.com/making-azure-ad-oidc-compliant-5734b70c43ff This workaround has another limitation - it is not valid against Microsoft Graph API which is used by Cloud Gateway in the process of authenticating the user in the OIDC flow. This results in the OIDC flow failing and ending in the infinite loop.
Proposed solution:
Update the validation of the EntraID access token in the domain-level API ML to use the remote /userinfo endpoint for validation, which also returns the distributed ID required for further zOS user mapping.
Problem:
During the testing of EntraID support in API ML, we found a few limitations that seem to be related only for this OIDC provider. It turned out, by default, EntraID returns access tokens with NONCE in the header which makes validation using JWK fail. It is possible to configure EntraID to produce an application-specific access token that is then possible to validate locally. https://xsreality.medium.com/making-azure-ad-oidc-compliant-5734b70c43ff This workaround has another limitation - it is not valid against Microsoft Graph API which is used by Cloud Gateway in the process of authenticating the user in the OIDC flow. This results in the OIDC flow failing and ending in the infinite loop.
Proposed solution:
Update the validation of the EntraID access token in the domain-level API ML to use the remote /userinfo endpoint for validation, which also returns the distributed ID required for further zOS user mapping.
curl --request GET
--url https://graph.microsoft.com/oidc/userinfo
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InFDbTJnSUlIQVlPYm8xWlpMNDRua29wR0Y0X2c0bXNxNkNHamg2QkVVNEEiLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xMTk0ZGYxNi0zYWUwLTQ5YWEtYjQ4Yi01YzRkYTZlMTM2ODkvIiwiaWF0IjoxNzE3NTc0NDA5LCJuYmYiOjE3MTc1NzQ0MDksImV4cCI6MTcxNzU3OTQ2NiwiYWNjdCI6MSwiYWNyIjoiMSIsImFpbyI6IkFVUUF1LzhXQUFBQU92N1ZrK2dXYmVFRnJJWHJSRG1GcHg5dWs5UWpYRTZjeHBMOTNsL1JrdVRxdnUxaUhaRjEvU2dGMHp6LzBnUUp5dEVnOTJ1ekMzakFSSjZhNHVOZVBBPT0iLCJhbHRzZWNpZCI6IjU6OjEwMDMyMDAzNUZGNTJCQjMiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IkNsb3VkIEdhdGV3YXkiLCJhcHBpZCI6IjI5YTQ0MmVhLWQzNmUtNGYyMy1iNzNiLWUwYThlMDU5YTkyYyIsImFwcGlkYWNyIjoiMSIsImVtYWlsIjoiYW5kcmVqLmNobWVsb0Bicm9hZGNvbS5jb20iLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yOGQ1YTY2My1mM2Q5LTQ0MTMtYjE4My0xMTQxMzEyYjQwNDgvIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiMTkyLjE5LjE3Ni4yMDkiLCJuYW1lIjoiQW5kcmVqIENobWVsbyIsIm9pZCI6Ijk0NGM0MjBhLWZlMGYtNDE1Yy04MTNlLWMyZGNmMjMwNDBmNiIsInBsYXRmIjoiNSIsInB1aWQiOiIxMDAzMjAwMzhBRTE5QzNFIiwicmgiOiIwLkFTMEFGdC1VRWVBNnFrbTBpMXhOcHVFMmlRTUFBQUFBQUFBQXdBQUFBQUFBQUFBdEFMWS4iLCJzY3AiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6InlkYXB5NWJaUm12bVBKSVRZS01vc2dOY3laaER2T1Z6aFBPenBRcHltSjgiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiIxMTk0ZGYxNi0zYWUwLTQ5YWEtYjQ4Yi01YzRkYTZlMTM2ODkiLCJ1bmlxdWVfbmFtZSI6ImFuZHJlai5jaG1lbG9AYnJvYWRjb20uY29tIiwidXRpIjoiTVRoSU5yMFhua2l0VDBMa2x6RVVBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMTNiZDFjNzItNmY0YS00ZGNmLTk4NWYtMThkM2I4MGYyMDhhIl0sInhtc19zdCI6eyJzdWIiOiItVEFqblhKdzByTGVRTWFRdzZWeUlUdmQyLTFGc1l3Nmc0UDNFQTRILTFRIn0sInhtc190Y2R0IjoxNDAyNTA3ODA5fQ.FFl_5ISYfqlhCi_2RERPgqkzFOrtEbbNOszp9SdHXk_paCjyqpm-pP6NDkfcRm-GqbdVwmEHEl9iyBeWek1_wMw0IfEVxlsNneKcNhGKLLlN24zr59Srgo5eI7ULrzRX2IeVBS8nmTOLl3iC6qEEBUA2sC1T-d65v5Aq8fay_LYqRS7X2Q__AxRNGgOdmUfPZjvWKm38vQkrk8VSWoft1VxvUJnNPYILKdiwcN3EJZxdKxGjBiOZMX0gCUwK1OUus2l8SZ6Kvm2slz5PAAChnnM5evOtYGiBrSaOe6PhdSn_sG8dc1nYSYB81ClKRItyMMIVWy6OaWCBet5hmI9v7g'
--header 'User-Agent: insomnia/8.4.5'
The text was updated successfully, but these errors were encountered: