I cannot find configuration where I could change jwks_uri body. I saw that Azure B2C jwks_uri returns jwks with or without x5c entry. Is it possible to configure Azure AD to returns wks without x5c array?
The certificate is in the jwks_uri content regardless. x5c is just the cert chain it's just the same as the n and e values but encoded differently. What are you trying to accomplish by requesting to do this? also no it is not possible.
If you are trying to validate, you should be using the modulus and exponent values anyway e and n. here's a good piece of code for doing that. Difference between Azure AD and Azure AD B2C tokens in the comments there is a good deal of links that detail the process.
Related
TL;DR: Is it possible to hit the Azure B2C auth server and have it return to a URL on the app (so a full round-trip) a JWT with altered claims? IE not part of signing in - that has already happened and we are using a JWT already.
I have successfully set up Azure B2C to use a custom policy that hits a REST API to get extra claims information.
However, I have a certain situation where I want the user to specify a "mode" and have their JWT altered by Azure B2C to set the current mode as a claim.
Basically, the REST API will return something like:
{
"available_modes":"1,2,3"
}
And then I want the user to be able to change this so that they can select a mode, eg "2". Is there a way to hit the auth server and have it hit say https://myapi.com?mode=2, passing through the username claim to that API endpoint. Then, the auth server would return the JWT that ultimately has been altered to set something like "current_mode" claim value to "2".
This is a somewhat contrived example but I hope it makes sense, would it be possible by a custom claim to have it go off to the auth server and back in one round trip, returning with a new JWT?
Documentation is quite vague and everything related to this subject mostly points towards AAD.
The requirement I have is to be able to show a video only to users who have a specific permission. This can be as simple as having a claim in their JWT. Using AAD isn't an option so I was wondering if there is any other way I can achieve this.
The way I could imagine this work is that you can specify a claim that you want Azure Media Services to check that the incoming JWT has and then specify the token's AES key or provide a certificate if you choose to go with RS token encryption.
It is NOT required to use any specific token provider (such as Azure AD). You can definitely create your own JWT provider (so-called STS, Secure Token Service), using asymmetric key encryption. In your STS, you can add custom claims as desired based on your business logic.
Make sure the issuer, audience and claims all match up exactly between what is in JWT and the ContentKeyPolicyRestriction used in ContentKeyPolicy in Azure Media Services.
I'm quite new to OpenIdConnect so excuse me if i still miss some basic concept.
I have a SPA-style web application I'm developing for my company (AspNet Core + Aurelia).
I want to use AzureAD via OpenIdConnect for authentication and authorization, everything works very well so far i'm able to obrain a token and sign in.
the problem is that my application needs to provide to the client's browser some app-specific claims like: can read X, can edit Y...
if i add these claims to the JWT token provided by AzureAD obviously it will became invalid, as the signature will not match the content.
if i generate a new token with the new claims, but signed with the app key, obviously it will be a different token valid only in the context of my app (what if I'll later need to access some other resource using the AzureAD token?, is it a good idea to insert the AzureID token as claim of the newly issued token?)
Are there something I'm missing in the OpenConnectId? or is there a way to add claims to a token issued by a 3rd-party provider like AzureAD while keeping the token valid? Maybe a way to ask AzureAd to add claims to the token and re-sign it?
I think a good way to solve this situation may be to obtain an access_token for my own application's api (from my app backend) in exchange of the id_token provided by azure (after its validation)
so the application frontend in the browser will own two tokens and it will be able to use the correct one for each type of request.
there are some standardized flow that are quite similar to this but not exactly the same.
You could try to use a custom claim mapping policy. This is documented here.
This feature is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant.
As far as I can understand, this is still in preview stage. So it may require some trial and error verification.
Alternatively, you can define some policy in your application itself. Given that you know client IDs from your application (hence you require to use them for OpenID Connect requests), you may create a simple policy to check tokens and perform verifications.
When you use Open ID connect with Azure AD, the JWT issued token (id token) is signed with an asymmetric key. I saw the public key to verify that signature is available in the metadata file, https://login.microsoftonline.com/common/discovery/keys. However, I couldn't find any documentation about how those keys are generated. How can you change the keys that are available there or how can I specify a different key to sign the JWTs for my tenant ?
All sources and information suggests that this certificate roll over is done by Azure AD them self. Consumers are not able to do a manual roll over or put a certificate of their preference. This claim is supported by this answer. Also, please check this press release which mention a roll over happened in 2016
From your end you must be be ready to accept a rollover any time. Best practice is to fetch key information through discovery document. This is explained in the openid connect documentation
According to this piece of documentation, only way how to have your own signing key for your application, is custom claims mapping. Although description is very vague and instructions how to do it are scarce.
I have a multitenant aad app for which token validation needs to be done. I have access to the token in 'TokenValidated' event handler. For now, I have the property 'ValidateIssuer' set to true. Looking online, I noticed a lot of places this property is set to false for multitenant applications and there is a mention of custom validation. Can someone tell me what extra token validation needs to be done for multitenant applications? Examples will be helpful.
I have read about ValidatingIssuerNameRegistry, but don't know if that applies in my scenario since we do not restrict any specific tenants.
Thanks
-Ravi
Here's a great article on token validation you may find helpful. The Azure AD Token Claims Article is also extremely useful.
Issuer validation is used to indicate the sts that issued the token and the tenant for which it was issued. So in the case of a multi-tenant app, you may choose to turn off issuer validation as to not limit any tenants from signing in. In the single tenant or n tenant case, you can use this to only allow tokens from specific tenants.
The other validation necessary is signature validation. Doing this ensures the token was actually minted from Azure AD (issuing authority) and not fabricated from some nefarious source.