AzureAD JWT Token Audience claim prefix makes JWT Token invalid

早过忘川 提交于 2021-02-18 11:16:28

问题


I'm using the 'adal-node' npm package to authenticate with an AzureAD. This is all working fine and I get a token back.

However, the when examining the 'aud' claim in the JWT token I see the audience GUID is prefixed with 'spn:'. I think this is causing me problems when I try to use the JWT token on an already existing Web API. When I authenticate via a WebApp using the same AzureAD the 'aud' claim is NOT prefixed with 'spn:' and I am able to called endpoints on the WebAPI.

Can anyone shed any light on this? This is last hurdle to get over after a lot of head banging getting this working.

Update:

Using the npm package 'azure-ad-jwt' to validate the JWT token with AzureAD as soon as I receive it gives me the error which I suspected is the problem - 'JWT audience is invalid'. It is expecting the 'aud' claim not to have the 'spn:' prefix. Where is this spn prefix coming from?

Here's my app.js

var adal = require('adal-node');

var activeDirectoryEndpointUrl = 'https://login.microsoftonline.com/';

var options = {
    domain: '<AzureAD GUID>',
    activeDirectoryResourceId: '<AzureAD App Client ID 1>',
    clientId: '<AzureAD App Client ID 2>'
};

var tokenCache = new adal.MemoryCache();
var authorityUrl = activeDirectoryEndpointUrl + options.domain;
var context = new adal.AuthenticationContext(authorityUrl, true, tokenCache);

context.acquireUserCode(options.activeDirectoryResourceId, options.clientId, 'en-us', function (err, userCodeResponse) {
    if (err) {
        console.error(err);
        return;
    }

    console.log('Use a web browser to open the page ' + userCodeResponse.verificationUrl + ' and enter the code ' + userCodeResponse.userCode + ' to sign in.');

    context.acquireTokenWithDeviceCode(options.activeDirectoryResourceId, options.clientId, userCodeResponse, function (err, tokenResponse) {
        if (err) {
            console.error(err);
            return;
        }

        console.log(tokenResponse);
    });
});

Decoded JWT Token:

{
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"XXXXXXX",
    "kid":"XXXXXXX"
}
{
    "aud":"spn:XXXXXXX",    // <<< Offending claim
    "iss":"https://sts.windows.net/XXXXXXX/",
    "iat":1471355868,
    "nbf":1471355868,
    "exp":1471359768,
    "acr":"1",
    "amr":["pwd"],
    "appid":"XXXXXXX",
    "appidacr":"0",
    "e_exp":7200,
    "family_name":"XX",
    "given_name":"XX",
    "ipaddr":"XX.XX.XX.XX",
    "name":"XX XX",
    "oid":"XXXXXXX",
    "scp":"user_impersonation",
    "sub":"XXXXXXX",
    "tid":"XXXXXXX",
    "unique_name":"XXX@XXX.onmicrosoft.com",
    "upn":"XXX@XXX.onmicrosoft.com",
    "ver":"1.0"
}

回答1:


Appears to be documented "by design"1 for Azure AD.

In Azure AD's SAML 2.0 Single Sign-On SAML protocol describing the response fields, they describe the audience response value. Note the bold text at the bottom:

Audience

This contains a URI that identifies an intended audience. Azure AD sets the value of this element to the value of Issuer element of the AuthnRequest that initiated the sign-on. To evaluate the Audience value, use the value of the App ID URI that was specified during application registration.

Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Azure AD. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.

So for better or worse, the answer for Azure AD SAML 2.0 seems to be either:

  1. Change your Issuer Entity ID to be a URI
  2. Change your implementation to strip the spn: from the start of the audience response value.

1 The SAML 2.0 Core spec specifies the <Issuer> element not as a URI, but as a complex type NameIDType, a string with no format requirements by default. So we can feel annoyed that Azure AD is not happy with non-URI string. Having said that, every example Issuer in the spec is a URI, so maybe our annoyed self-justification has its limits.




回答2:


Still facing the same issue 2 years after. As @Adam Young posted in comments to his own question - replace audience id with audience URL and that will resolve the issue.



来源:https://stackoverflow.com/questions/38978298/azuread-jwt-token-audience-claim-prefix-makes-jwt-token-invalid

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!