Azure SSO: unable to find key with kid

[cardoe]

Attempting to authenticate against Azure AD single tenant. Specifically using OpenStack Keystone and playing with it's federation support via OpenID Connect. Their rough docs are at https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#setting-up-openid-connect but I ultimately referred to https://github.com/OpenIDC/mod_auth_openidc/wiki/Azure-Active-Directory-Authentication

The setup I crafted is:

#OIDCProviderMetadataURL https://sts.windows.net/MYTENANT/.well-known/openid-configuration
OIDCProviderMetadataURL https://login.microsoftonline.com/MYTENANT/v2.0/.well-known/openid-configuration
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
#OIDCScope "openid email profile urn://MYAPPID/openstack" # tried to add my own here based on the medium article.
OIDCScope "openid email profile"
OIDCClientID "MYAPPID"
OIDCClientSecret "MYAPPSECRET"
OIDCCryptoPassphrase MYCRYPTOPHRASE
OIDCRedirectURI https://myhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth

Everything in the logs seems fine until I hit this spot...

2023-07-18 17:49:52.848553 oidc_util_hdr_in_get: User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.1.15
2023-07-18 17:49:52.848583 oidc_restore_proto_state: restored state: {"ou":"https://myhost:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://myhost/horizon/auth/websso/","om":"get","i":"https://login.microsoftonline.com/MYTENANT/v2.0","rt":"id_token","n":"mynonce","t":1689702592,”s”:”my-s”}
2023-07-18 17:49:52.848594 oidc_cache_get: enter: https://login.microsoftonline.com/MYTENANT/v2.0/.well-known/openid-configuration (section=p, decrypt=0, type=shm)
2023-07-18 17:49:52.848607 oidc_cache_get: cache hit: return 1753 bytes from shm cache backend for key https://login.microsoftonline.com/MYTENANT/v2.0/.well-known/openid-configuration
2023-07-18 17:49:52.848741 oidc_proto_handle_authorization_response_idtoken: enter
2023-07-18 17:49:52.848751 oidc_proto_validate_issuer_client_id: iss and/or client_id matched OK: (null), https://login.microsoftonline.com/MYTENANT/v2.0, (null), MYAPPID
2023-07-18 17:49:52.848765 oidc_proto_parse_idtoken: enter: id_token header={"typ":"JWT","alg":"RS256","kid":"UNKNOWN_KID"}
2023-07-18 17:49:52.848776 oidc_util_create_symmetric_key: key_len=32
2023-07-18 17:49:52.848864 oidc_proto_parse_idtoken: successfully parsed (and possibly decrypted) JWT with header={"typ":"JWT","alg":"RS256","kid":"UNKNOWN_KID"}, and payload={"aud":"MYAPPID","iss":"https://login.microsoftonline.com/MYTENANT/v2.0","iat":1689702292,"nbf":1689702292,"exp":1689745792,"aio":"myaio","email":"my@email","nonce":"mynonce","oid":"myoid","preferred_username":"my@email","rh":"myrh","sub":"mysub","tid":"MYTENANT","upn":"my@email","uti":"myuti","ver":"2.0"}
2023-07-18 17:49:52.848876 oidc_util_create_symmetric_key: key_len=40
2023-07-18 17:49:52.848885 oidc_metadata_jwks_get: enter, jwks_uri=https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys, refresh=0
2023-07-18 17:49:52.848890 oidc_cache_get: enter: https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys (section=j, decrypt=0, type=shm)
2023-07-18 17:49:52.850561 oidc_cache_get: cache miss from shm cache backend for key https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys
2023-07-18 17:49:52.850586 oidc_util_http_query_encoded_url: url=https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys
2023-07-18 17:49:52.850596 oidc_util_http_call: url=https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys, data=(null), content_type=(null), basic_auth=null, bearer_token=(null), ssl_validate_server=1, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
2023-07-18 17:49:52.936817 oidc_util_http_call: HTTP response code=200
2023-07-18 17:49:52.936917 oidc_util_http_call: response=VALUE_OF_THE_KEYS_URL_WHICH_CLEARLY_DOES_NOT_HAVE_THE_KID
2023-07-18 17:49:52.938788 oidc_cache_set: enter: https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys (section=j, len=9478, encrypt=0, ttl(s)=3599, type=shm)
2023-07-18 17:49:52.939488 oidc_cache_set: successfully stored 9478 bytes in shm cache backend for key https://login.microsoftonline.com/MYTENANT/discovery/v2.0/keys
2023-07-18 17:49:52.939517 oidc_proto_get_key_from_jwks: search for kid "UNKNOWN_KID" or thumbprint x5t "(null)"
2023-07-18 17:49:52.940274 oidc_proto_get_keys_from_jwks_uri: returning 0 key(s) obtained from the (possibly cached) JWKs URI
2023-07-18 17:49:52.940295 oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:1238: oidc_jwt_verify]: could not find key with kid: UNKNOWN_KID
2023-07-18 17:49:52.940302 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
2023-07-18 17:49:52.940328 oidc_util_html_send_error: setting OIDC_ERROR environment variable to: OpenID Connect Provider error: Error in handling response type.
2023-07-18 17:49:52.940342 oidc_util_html_send_error: setting OIDC_ERROR_DESC environment variable to: (null)

I followed the Azure wiki page. I've tried editing the manifest and setting "accessTokenAcceptedVersion": 2, but that hasn't helped either.

[zandbelt]

I guess that's a question for MS: if you're sure you've configured the metadata document in the correct way then apparently they sign the token with a key that is not published on the endpoint that they advertise

[cardoe]

I ran across https://xsreality.medium.com/making-azure-ad-oidc-compliant-5734b70c43ff which seemed to imply some necessary tweaks to get Microsoft to be compliant so I guess I'll have to run it down with them.

[cardoe]

Interestingly the keys for my tenant are the same as https://login.microsoftonline.com/common/discovery/v2.0/keys where the issuer is https://login.microsoftonline.com/{tenantid}/v2.0"

[cardoe]

Figured it out. Under the "Enterprise Application" linked to this I had enabled SAML SSO at some point in the app when playing with this.