Issues with Entra ID using private_key_jwt from version 2.4.13.1 and newer

[uoe-pjackson]

Hi,

I'm having a bit of an issue using Entra ID with private_key_jwt on newer versions. I am using the following config on Rocky 8 with Apache HTTP Server 2.4.37-65 (actual domain replaced with example.com)

<VirtualHost *:443>

  ## Vhost docroot
  DocumentRoot "/var/www/html"

  SSLEngine on
  SSLCertificateFile      /root/example.com.crt
  SSLCertificateKeyFile /root/example.com.key

  <Location "/">
    Require valid-user
    AuthType openid-connect
    RewriteEngine On
  </Location>

  ## Logging
  ErrorLog "/var/log/httpd/example.com-80_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/example.com-80_access.log" "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O %D"
  LogLevel auth_openidc:trace5

  OIDCProviderMetadataURL https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration
  OIDCScope "openid profile"
  OIDCRemoteUserClaim preferred_username ^(.*)@example.com
  OIDCClientID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  OIDCCryptoPassphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  OIDCPrivateKeyFiles /root/example.com.key
  OIDCPublicKeyFiles /root/example.com.crt
  OIDCProviderTokenEndpointAuth private_key_jwt
  OIDCRedirectURI /oidc/redirect
  OIDCOutgoingProxy example.com:3128
</VirtualHost>

This is working ok with mod_auth_openidc 2.4.12.3 however when upgrading to 2.4.13.1 and newer up to and including 2.4.16.3 it fails with an error:

[Thu Sep 26 18:38:45.006515 2024] [auth_openidc:error] [pid 40465:tid 140300529047296] [client 192.168.0.1:61265] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

This appears to similar to the issue that was experienced in #762

I've decoded the client_assertion and it appears that x5t value is missing in version > 2.4.13.1

Working version 2.4.12.3

{"alg": "RS256",
 "kid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "x5t": "xxxxxxxxx"}
 .
{"iss":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"sub":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"aud":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token",
"jti":"xxxxxxxxxxxxxx",
"exp":1727371747,
"iat":1727371687}

Not Working version 2.4.13.2

{"alg": "RS256",
 "kid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
 .
{"iss":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"sub":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"aud":"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token",
"jti":"xxxxxxxxxxxxxx",
 "exp":1727371332,
 "iat":1727371272}}

Please let me know any logs I can supply that can help.

Thanks!

[zandbelt]

thanks for the thorough reporting, it is indeed broken since 2.4.13 and fixed just now in 0da9545, thanks!

[uoe-pjackson]

Excellent I'll await the 2.4.16.4 release and give it a test.
Thanks for the very quick fix!

[zandbelt]

this is now released in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4