1

I am trying to secure the vault UI and command line login using the JWT/OIDC authentication method using Azure AAD as the provider. I am following the documentation but I am ending with the following error message:

Token verification failed. error validating signature: failed to verify signature: failed to verify id token signature

Here are the steps I followed to setup the auth method

  1. Created an Azure App Registration allowing my redirect URLs
    1. http://localhost:8250/oidc/callback
    2. https://hostname:port_number/ui/vault/auth/oidc/oidc/callback
  2. I have the Group.Read.All permissions on the application and delegated type of the Microsoft Graph API
  3. Generated a secret and and its token from the portal
  4. I am using the v2.0 endpoints https://login.microsoftonline.com/{my_tenant_id}/v2.0
  5. I specified the oidc scope to https://graph.microsoft.com/.default
  6. I modified the app manifest with "groupMembershipClaims": "All",

Then I logged in using the token authentication on the vault and issued the following command line.

vault auth enable oidc
vault write auth/oidc/config @azuread-auth-config.json
# Success! Data written to: auth/oidc/config
vault write auth/oidc/role/default @azuread-default-role-config.json

The azuread-auth-config.json file has the folowing content

{
    "oidc_discovery_url": "https://login.microsoftonline.com/{my_tenant_id}/v2.0",
    "oidc_client_id": "{my_client_id}",
    "oidc_client_secret": "{my_client_secret}",
    "default_role": "default"
}

The azuread-default-role-config.json file has the folowing content

{
    "allowed_redirect_uris": [
        "http://localhost:8250/oidc/callback",
        "https://{my_hostname}/ui/vault/auth/oidc/oidc/callback",
        "http://localhost:8200/ui/vault/auth/oidc/oidc/callback"
    ],
    "groups_claim": "groups",
    "oidc_scopes": [
        "https://graph.microsoft.com/.default"
    ],
    "policies": [
        "default"
    ],
    "user_claim": "email",
    "bound_audiences": [
        "{my_client_id}"
    ],
    "verbose_oidc_logging": "true"
}

The line "verbose_oidc_logging": "true" has been added only for debugging purpose.

Login process I followed

Once I start the login process on the Vault UI, I get redirected to the url 

https://login.microsoftonline.com/{my_tenant_id}/oauth2/v2.0/authorize?client_id={my_client_id}&nonce=5e52640c66c2dsf64f5ds3f1sd46dc6717&redirect_uri=https%3A%2F%2F{my_hostname}%2Fui%2Fvault%2Fauth%2Foidc%2Foidc%2Fcallback&response_type=code&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default&state=744a03304e71ed7e4dedgrd3541544

then I get the sign in successful message which closes the window by itself

I am also tailing the logs on vault server and I can see that a token has been generated. If I go on https://jwt.ms and I paste the JWT token it gets decrypted and I can identify the proper values. I can see about ~90 groups under my user with the proper tenant id and client id.

If I try the login process using the command line vault login -method oidc role=default I get to the same error message.

Code: 400. Errors:

* Token verification failed. error validating signature: failed to verify signature: failed to verify id token signature
DoRivard
  • 792
  • 3
  • 16
  • 27
  • Please have a look at this thread https://stackoverflow.com/questions/54979408/oidc-signature-verification – Tony Ju Feb 04 '20 at 06:47
  • @TonyJu yes this is true, on jwt.io we have to specify the HS256 algorithm instead of RS256 as mentioned in the MS documentation to see Signature Verified. I tried using the setting `jwt_supported_algs` to force HS256, but it doesn't seem to be a supported algorithm as per the plugin https://www.vaultproject.io/api/auth/jwt/index.html#inlinecode-jwt_supported_algs. – DoRivard Feb 04 '20 at 14:34
  • I have exactly same configuration as You and I am not getting email claim Vault: `claim "email" not found in token`. I noticed, that You have double comma in line `"user_claim": "email",,`, try to fix it, maybe its not well parsed, and roles are not visible in web ui. – MUHAHA Mar 04 '20 at 15:54
  • @MUHAHA I double checked, I didn't had the double comma in my setup json. It was only here in the question. – DoRivard Mar 04 '20 at 18:54
  • @DoRivard did you ever find a solution to this? Stumbling on the same issue – Annerajb Jun 30 '20 at 02:26
  • Never figured it out, I ended up using LDAPS from the Azure Domain Services. – DoRivard Jul 01 '20 at 04:19
  • @Annerajb Did you find a solution? I face the same issue when verifying Azure tokens – athavan kanapuli Jan 26 '21 at 12:26
  • Never found it. – DoRivard Jan 27 '21 at 02:09

1 Answers1

0

I ran in to the same trouble. Removing the application from Azure and configure it again helped.

My Vault role config that works:

vault write auth/oidc/role/<< oidc_role_name >> -<<EOF
{
  "allowed_redirect_uris" : ["http://localhost:8250/oidc/callback","https://vault.example.com:8200/ui/vault/auth/oidc/oidc/callback"],
  "user_claim" : "sub",
  "policies" : "default",
  "oidc_scopes" : "https://graph.microsoft.com/.default,profile,email",
  "verbose_oidc_logging" : "true"
}

In Azure API permissions I have:

  • email
  • Group.Read.All
  • GroupMember.Read.All
  • openid
  • profile
  • User.Read
  • Everything granted for my domain

Token configuration: Claim:

  • email (type: ID)
  • email (type: access)
  • groups (type: ID, Access, SAML)
  • upn (type: ID)
  • upn (type: Access)

Authentication: Implicit grant:

  • Access tokens
  • ID tokens
cinci
  • 1
  • 1