[Azure AD Mobile Plugin] Microsoft Graph instead of Azure AD Graph

Forge Component
(6)
Published on 16 Jan by Pedro Costa
6 votes
Published on 16 Jan by Pedro Costa

Hello,

I found a following description from Microsoft document.

We strongly recommend that you use Microsoft Graph instead of Azure AD Graph, Office 365 Mail API, etc.

https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent

So, I attempted to use https://graph.microsoft.com (Microsoft Graph) instead of https://graph.windows.net (Azure AD Graph) as ResourceURI argument of ADALLogin action.
And the JWT_ValidateToken action included in ADALLogin failed.

Validate Token and User error: IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'.
Exceptions caught:
 '[PII is hidden]'.
token: '[PII is hidden]'.

How do I use Microsoft Graph instead of Azure AD Graph?

Best regards,
Moriya Takasi

Hi Takasi,

Did you fill out the site property IdentityProvider ?

Did you add the correct permissions to your azure portal application (for Microsoft Graph instead of Azure AD Graph)?


To see the result of the error (instead of PII is hidden), I think we need to change the JWT extension.

IdentityModelEventSource.ShowPII = true; //To show detail of error and see the problem


https://github.com/IdentityServer/IdentityServer4/issues/2186#issuecomment-407959886


Thanks

Hello Pedro,

Thank you for your quick replying.

Did you fill out the site property IdentityProvider ?

Yes. I filled the site property with https://sts.windows.net/<my-tenant-id>/ .
And the validation succeeded when I used Azure AD Graph resource URI.

I revealed the error message by modifying the extension you mentioned.
(I masked some characters.)

Validate Token and User error: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: ie_qWCXhXxt1zIEsu4c7acQVGn4
'.
Exceptions caught:
 ''.
token: '{"typ":"JWT","nonce":"mg5Xq3aHzUs-i99ftq7m7xL7r2T11xJKPJ3TMM4ji1Q","alg":"RS256","x5t":"ie_qWCXhXxt1zIEsu4c7acQVGn4","kid":"ie_qWCXhXxt1zIEsu4c7acQVGn4"}.{"aud":"https://graph.microsoft.com","iss":"https://sts.windows.net/bb49xxxx-xxxx-xxxx-xxxx-xxxxxx259d0b/","iat":1568941345,"nbf":1568941345,"exp":1568945245,"acct":0,"acr":"1","aio":"42FgYFip9n/uow9iXMUyaYmhalxpNQd2mh+15NjV7zfV8u7e57kA","amr":["pwd"],"app_displayname":"OS Azure AD Test","appid":"21b2xxxx-xxxx-xxxx-xxxx-xxxx0bdf757d","appidacr":"0","ipaddr":"153.236.207.97","name":"Test User","oid":"a1e3xxxx-xxxx-xxxx-xxxx-xxxx54a27f88","platf":"2","puid":"1003200067526BF1","scp":"Directory.AccessAsUser.All User.Read","sub":"a6vcMvQZf1EYx-LUCqOEdL8s-edImVlUrtdsx_adEIY","tid":"bb49xxxx-xxxx-xxxx-xxxx-xxxxc1259d0b","unique_name":"test@takasxxxxx.onmicrosoft.com","upn":"test@takasxxxxx.onmicrosoft.com","uti":"yi4vunNmm0O6mI8h0BBCAA","ver":"1.0","xms_tcdt":1493187223}'

Could you figure out what's the cause of it?

By the way, could you use Microsoft Graph resource URI instead of Azure AD Graph URI on your site?

I'd appreciate your helping me.
Thank you.

Best regards,
Moriya Takasi

Hi Takasi,

I searched for this error, and i found a possible solution, but, i not have time now for test this solution.

"The issue you are facing is caused by the null first byte. This is contrary to the JWA. .NET Core will account for the null byte and .NET framework, apparently, won't."

First link: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1122#issuecomment-475805665

Second link: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/877#issuecomment-431113178


Solution: Change the ValidateToken action from extension and add code marked as a solution to the second link.


Regards

Hello Pedro,

Thank you for your investigation.
I applied your solution to my environment and got another error.

The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.

It seems that your code snippet assumes the length of ssAccessToken is nearly 341 bytes (= 256 or 257 * 4 / 3).
However length of ssAccessToken on my environment is 1619 bytes.
Head character of it is not '0'. And also head part of third block (split by period character) of ssAccessToken is also not '0'.
Your solution is directing to the case the character is '0', isn't it?

ssAccessToken in my environment (some character were omitted):

eyJ0eXAiOiJKV1QiLCJub25jZSI6IkVVbkl3OEhF<<<1227 characters were omitted>>>E4NzIyM30.lOpH-2rNSZlLOSsw3UYn74Cm7WSDjq7tOtA7C4QcfJ9dsvCzW-5NDuedVP8M3Yxo12n0kP7v7DpuySkzHoNFhn9cbUPDUEB-Sc-LqhC3DKJC4o-eLjw2qnTIAnBsL2nhKoG3Fi0poIPakJrQw0PQz3PSvC9cGoZpCKhHMPzIcxNiBcfEeaOAMrdGHLBEFh9OsygrhPgB1hl53E-mqkoHEV4M3BZsTjHwuw3Qb9FjTeAusHMtgGQdqcClHH5JMg1Pevmt3jHzPsm8Nva3XmiffwVY0JryPn3dYKVEP3fiFKP2lyYcnTqem4kwW4MWoUkwimOpbdJ-U6NtyF1kzo8yig

I'd appreciate your helping.

Best regards,

Hi Takasi,


Have you tried to put AccessToken here on this site https://jwt.io/ and see what the result ?

The error is only in the validate token right? Is the login working?

Hello Pedro,

Thank you for comment.
I got AccessToken value again and put it into jwt.io you mentioned.

Where can I find my private key to validate the signature here?

The error is only in the validate token right? Is the login working?

I'm thinking so. The action flow of ADALLogin performs until validation step without any errors.

Best regards,
Moriya Takasi

Hi Takasi,


Sorry for the delay, are you still having this problem?

Hello Pedro, 

Yes. My problem is still here.

Can you use Microsoft Graph resource URI instead of Azure AD Graph URI on your site?

Hi Takasi,


What seems strange to me is that the problem is not with Login, you said that the flow runs without errors until the validation of the token. I can't find validation reason fail when using Microsoft Graph instead of Azure Graph.


You may be able to use another extension to decode the token and check the result: https://www.outsystems.com/forge/component-overview/1853/jwt


The app is well configured on the azure portal.

The site property is also well populated.

Try using this component and see the result.


Edit: See  https://docs.microsoft.com/pt-br/azure/active-directory/develop/msal-overview

 https://docs.microsoft.com/pt-br/azure/active-directory/develop/azure-ad-endpoint-comparison


I think I found the problem


Important

v1.0 and v2.0 tokens can be issued by both the v1.0 and v2.0 endpoints! id_tokens always match the endpoint they're requested from, and access tokens always match the format expected by the Web API your client will call using that token.  So if your app uses the v2.0 endpoiont to get a token to call Microsoft Graph, which expects v1.0 format access tokens, your app will recieve a token in the v1.0 format.


Differences between ADAL and MSAL

Active Directory Authentication Library (ADAL) integrates with the Azure AD for developers (v1.0) endpoint, where MSAL integrates with the Microsoft identity platform (v2.0) endpoint. The v1.0 endpoint supports work accounts, but not personal accounts. The v2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. Additionally, with MSAL you can also get authentications for Azure AD B2C.

For more specific information, read about migrating to MSAL.NET from ADAL.NET and migrating to MSAL.js from ADAL.js.


Hello Pedro, 

I tried to use JWT extension you mentioned. But I couldn't figure out both which action I have to use and what values I have to assign to arguments of the action.

I think I found the problem

Do you mean that Microsoft Graph resource URI (https://graph.microsoft.com) is for MSAL, not for ADAL?

Do you mean that Microsoft Graph resource URI (https://graph.microsoft.com) is for MSAL, not for ADAL?

Yes, Microsoft Graph is used in v2.0 endpoint, and Adal plugin uses endpoint v1.0.


And the token generated for each endpoint is different.

https://docs.microsoft.com/pt-br/azure/active-directory/develop/azure-ad-endpoint-comparison

Yes, Microsoft Graph is used in v2.0 endpoint, and Adal plugin uses endpoint v1.0.

So, it was natural that I could not use the ADALPlugin with Microsoft Graph resource URI.
It all makes sense now.

Thank you for your helping me.

Do you have a plan to release a new plugin for v.2.0 endpoint?

Best regards,
Moriya Takasi

Hi Takasi,


I should have time to look into this from Wednesday.

Should I create a new component for MSAL Auth


Regards

I'm glad to hear from you.
Adding MSALLogin action to current component is also welcome for me.