1

I am trying to connect a Keycloak Gatekeeper instance to AAD via Open ID Connect. To do so, I am using the v2 endpoint https://login.microsoftonline.com/<tenantID>/v2.0.

Unfortunately even before I login there is an error in the logs:

unable to verify the id token   {"error": "oidc: JWT claims invalid: invalid claim value: 'iss'. expected=https://login.microsoftonline.com/<tenantID>/v2.0, found=https://sts.windows.net/<tenantID>/."}.

I did a little bit of reasearch, and found out that the found= value is the same as the one returned by the v1 endpoint. This lead me to the conclusion that the application might uses the wrong version. To make sure that it is always using v2 I've added fixed the version of the enpoint by setting "accessTokenAcceptedVersion": 2 in my application registration manifest. Unfortunately this did also not resolve the issue.

So what do I do wrong? Or are the AAD APIs just buggy?

gorootde
  • 4,003
  • 4
  • 41
  • 83
  • Can you please show the requested or API calling part to better clarity – Md Farid Uddin Kiron Mar 07 '19 at 09:24
  • Unfortunately not, as keycloak-gatekeeper does not log these things anywhere. But by having a look at the code I found out that it in the end just compares the value of `iss` with the `issuer`value received from `v2.0/.well-known/openid-configuration`. It fails because these do not match, but according to the [Specification](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.16.15) they would have to. – gorootde Mar 07 '19 at 09:35
  • @gorootde did you ever get this working, mate? we're looking at the same thing now, running into the exact same issue. – Ray Terrill May 03 '19 at 04:19
  • Looks like I was able to get this working using the old endpoint: `--discovery-url https://sts.windows.net/TENANT_ID/` – Ray Terrill May 03 '19 at 04:38

0 Answers0