1

I'm currently trying to implement azure ad authentication in my angular application. Unfortunately i'm running into some issues. The following code gives me the access token as i'm expecting. To implement it in my api I wanna use OpenIDConnect.

export class AppComponent implements OnInit {
  title = 'Sign in test';

  constructor(private oauthService: OAuthService) {

  }

  private async ConfigureAuth(): Promise<void> {
    this.oauthService.configure({
      loginUrl: 'loginUrl',
      clientId: 'clientId',
      resource: 'resource',
      logoutUrl: 'logoutUrl',
      redirectUri: window.location.origin + '/',
      scope: 'openid',
      oidc: false
    });   
    this.oauthService.setStorage(sessionStorage);  
  }

  async ngOnInit() {
    await this.ConfigureAuth();

    this.oauthService.tryLogin({});

    if(!this.oauthService.getAccessToken()) {
      await this.oauthService.initImplicitFlow();
    }

    console.log(this.oauthService.getAccessToken());
  }
}

The sign in still works as it gives me the access token but when i set oidc to true it gives me the following errors:

angular-oauth2-oidc.js:1146 Error validating tokens
(anonymous) @ angular-oauth2-oidc.js:1146

Wrong issuer: https://sts.windows.net/{tenantid}/

ERROR Error: Uncaught (in promise): Wrong issuer: https://sts.windows.net/{tenantid}/

I'm not sure how to solve this issue, as the issuer in this case has the correct tenant ID.

Hope someone can help me out with this.

Jeroen
  • 60,696
  • 40
  • 206
  • 339
Mikey123
  • 1,201
  • 2
  • 12
  • 23

1 Answers1

1

There is a related open issue on GitHub: Valid access_token but no identity. The reason for that is probably because AAD doesn't support CORS for .well-known/openid-configuration. At least that is the case for AAD B2C. I was able to solve it by manually specify the discovery config:

export const aadB2cNoDiscoveryConfig: AuthConfig = {
  'clientId': XXX
  'redirectUri': XXX
  'loginUrl': XXX
  'logoutUrl': XXX
  'scope': 'openid https://mytenant.onmicrosoft.com/myapi/user_impersonation',
  'oidc': true,
  'issuer': 'https://login.microsoftonline.com/XXX/v2.0/',
  'tokenEndpoint': 'https://login.microsoftonline.com/XXX.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signin',
  'responseType': 'id_token token',
  'clearHashAfterLogin': true,
  'disableAtHashCheck': true,
  'showDebugInformation': true,
  'strictDiscoveryDocumentValidation': false,
  'jwks': {
    'keys': [
      {
        kid: XXX
        nbf: XXX,
        use: XXX
        kty: XXX
        e: XXX
        n: XXX
      }]
  }

Note: I used AAD B2C.

Martin Brandl
  • 56,134
  • 13
  • 133
  • 172
  • Thank you for your reply. I'm not sure how to implement some of your values, as i'm not sure what to fill in at those XXX values at some places. For example the issuer and jwks keys. Also, i'm using the AD v1 endpoint, does this matter? – Mikey123 Jun 12 '18 at 15:07
  • 1
    You can retrieve these information using https://login.microsoftonline.com/.onmicrosoft.com/.well-known/openid-configuration and https://login.microsoftonline.com/YOURTENANT.onmicrosoft.com/discovery/keys – Martin Brandl Jun 12 '18 at 15:13
  • Thank you, using the information from the url's you provided and adding them to the config solved my issue. thanks a lot! – Mikey123 Jun 13 '18 at 05:49
  • I just noticed this warning remains (not an error though): 'No tokenValidationHandler configured. Cannot check signature.' Is this important to solve? – Mikey123 Jun 13 '18 at 05:54
  • 1
    I dont get a Warning. I will Take a look at my code later. If you use the token on the Client, it could be an issue. If you just pass it to an API, I think its fine since it gets validated there – Martin Brandl Jun 13 '18 at 06:04
  • Alright, thank you. I'm planning on passing it to an api so i'll assume it will be fine. – Mikey123 Jun 13 '18 at 06:24
  • 1
    Found it. I use `this.oauthService.tokenValidationHandler = new JwksValidationHandler();` after I call the configure() – Martin Brandl Jun 13 '18 at 06:42
  • Thanks! Is JwksValidationHandler part of another package? I'm unable to add this line (cannot find name 'JwksValidationHandler') – Mikey123 Jun 13 '18 at 09:01
  • 1
    import { JwksValidationHandler } from 'angular-oauth2-oidc'; – Martin Brandl Jun 13 '18 at 09:07
  • 1
    That makes sense! Thanks – Mikey123 Jun 13 '18 at 09:29