Hi, I'm trying to delegate auth to Azure AD in CAS 6.6.13. It seems to delegate the auth to azure, the login is done but afterwards it fails when trying to decode the returned JWT
here's the error: : [DelegatedClientAuthenticationHandler]: [org.pac4j.core.exception.TechnicalException: com.nimbusds.jose.proc.BadJOSEException:* Signed JWT rejected: Another algorithm expected, or no matching key(s) found / com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found]* and this happens because the sign keys are not matching, so in azure there are some commons keys and there seems to be some client specific keys. In the case of client specific sign keys, the discovery url should look like this: https://login.microsoftonline.com/<tenantID>/.well-known/openid-configuration?appid=<clientID> as you can see the appid paremeter at the end, here's some azure explanation why the keys are specific for app: https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad I tried to add the discovery-url obviously from cas.properties, but from what have debugged the value is hardcoded in: org.pac4j.oidc.config.AzureAdOidcConfiguration code snippet below: @Override public String getDiscoveryURI() { return "https://login.microsoftonline.com/"; + tenant + "/.well-known/openid-configuration"; } I also checked the altest pac4j sources, and the code is similar here the cas properties that I added in order to enable this delegation cas.authn.pac4j.oidc[0].azure.tenant=tenantID cas.authn.pac4j.oidc[0].azure.id=clientID cas.authn.pac4j.oidc[0].azure.secret=secret cas.authn.pac4j.oidc[0].azure.client-name=Azure cas.authn.pac4j.oidc[0].azure.display-name=Azure Login cas.authn.pac4j.oidc[0].azure.principal-attribute-id=name cas.authn.pac4j.oidc[0].azure.callback-url= http://localhost:81/cas/login?client_name=Azure cas.authn.pac4j.oidc[0].azure.discovery-uri= https://login.microsoftonline.com/tenantID/.well-known/openid-configuration?appid=clientID So is this a limitation in pac4j? is there any easy way on how to override that discovery URL? I was thinking to try something with byte buddy Any suggestions appreciated thanks -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4700cce-2e62-430a-9df1-1df0d271e1ffn%40apereo.org.
