1

After reading the following article:

http://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx

I tried to implement an OpenID Connect/Oauth code flow per the documentation at:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-appmodel-v2-overview/

I'm using mod_auth_openidc as my Relying Party (that I have working with both Google and my own OpenID Provider.

I've registered my app at https://apps.dev.microsoft.com, and gone through all the steps. I get the login screen at microsoft, then the permissions screen and when it redirects back to my site and hits mod_auth_openidc, I get an error that says:

Error:

The OpenID Connect Provider returned an error: Error in handling response type.

In my Apache Error logs I get: oidc_proto_validate_code_response: requested flow is "code" but no "access_token" parameter found in the code response, referer: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&scope=openid&client_id=xxx&state=yyy&redirect_uri=https%3A%2F%2Fdst-dev.mydomain.com%2Foauth2callback&nonce=zzz

and

oidc_proto_resolve_code_and_validate_response: code response validation failed,

What I'm trying to figure out is where the problem lies. Is there an issue with what Microsoft is sending mod_auth_openidc, or is there a bug or configuration issue on the mod_auth_openidc side?

Severun
  • 2,893
  • 1
  • 16
  • 22

1 Answers1

1

The example at MS webpages uses a different response mode and response type in the authentication request:

&response_mode=form_post&response_type=code+id_token

both are supported by mod_auth_openidc so you could apply something similar by including:

OIDCResponseType id_token
OIDCResponseMode form_post

in the Apache configuration or using the associated primitives in the .conf file for Microsoft when using multiple providers.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • I'm using the meta files so adding response_type and response_mode to my .provider file did the trick. There is a bit of secret sauce here. On their doc page, there is an incorrect URL. The URL: https://login.microsoftonline.com/common/v2.0/.well-known/configuration should be https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration. You stick the output from the above in your .provider meta file. There is a problem with the output where it has {tenant} in your issuer field. You have to do a login attempt which will throw an error. – Severun Sep 11 '15 at 22:30
  • The error thrown is: oidc_proto_validate_jwt: requested issuer (https://login.microsoftonline.com/{tenantid}/v2.0/) does not match received "iss" value in id_token (https://login.microsoftonline.com/xxxxyyyyzzzz/v2.0). You can then take the xxxxyyyyzzzz value and plug that into your meta names for .client, .provider and .conf, then update the value in the .provider file to match the URL in the message. After that it all appears to work as expected. Thank you very much Hans. Hope the above helps someone else figure this out. – Severun Sep 11 '15 at 22:31
  • Another item of note. This is currently a preview version and should not be used in production, MS may make changes that break implementations (according to the doc on the MS site). – Severun Sep 11 '15 at 22:35
  • Nice work! If you'd create a writeup of this I'd link to it from the mod_auth_openidc project wiki; I am assuming that `code` will be properly supported by MS soon – Hans Z. Sep 11 '15 at 22:45
  • I created a writeup and posted it at http://geektravelling.blogspot.com/2015/09/getting-openid-connect-microsoft.html . And thank you very much sir, you are awesome. If you ever make it down Southern California way, look me up for some free surfing lessons. – Severun Sep 12 '15 at 00:37
  • Thanks, added here https://github.com/pingidentity/mod_auth_openidc/wiki/Useful-Links; I will keep that offer in mind :-) – Hans Z. Sep 12 '15 at 06:17