So, I've been reading these docs, implemented them and somehow I can't get through because Microsoft keeps nagging about an invalid signature
Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '7380XXXXXXXXXXXXXXXXXXXXXXXXX', Please visit 'https://developer.microsoft.com/en-us/graph/graph-explorer' and query for 'https://graph.microsoft.com/beta/applications/9a7exxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' to see configured keys]
My code:
function GUID()
{
return sprintf('%04X%04X-%04X-%04X-%04X-%04X%04X%04X', mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(16384, 20479), mt_rand(32768, 49151), mt_rand(0, 65535), mt_rand(0, 65535), mt_rand(0, 65535));
}
$url = 'https://login.microsoftonline.com/sub.xxxx.com/oauth2/token';
$apiId = '649952a2-xxxx-xxxx-xxxx-xxxxxxxxxx'; // test
$identifierUrl = 'www.xxxx.com/test/OurClientName'; // test
$pvk = 'certificate.pvk';
$pub = file_get_contents('certificate.crt');
$fingerprint = base64_encode(pack('H*', openssl_x509_fingerprint($pub)));
$time = time();
$guid = GUID();
$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$keychain = new \Lcobucci\JWT\Signer\Keychain();
$token = (new \Lcobucci\JWT\Builder())
->setIssuer($apiId )
->setAudience($url)
->setHeader('x5t', $fingerprint)
->setId($guid, false)
->setIssuedAt($time)
->setNotBefore($time - 60)
->setExpiration($time + 60 * 60 * 12)
->set('sub', $apiId )
->sign($signer, $keychain->getPrivateKey('file://'.$pvk))
->getToken();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'grant_type' => 'client_credentials',
'client_id' => $apiId,
'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion' => $token,
'resource' => $identifierUrl
]);
$output = curl_exec($ch);
var_dump(json_decode($output));
curl_close($ch);
Docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials https://github.com/lcobucci/jwt/blob/3.2/README.md
Our service provider ensures me that the certificate with thumbprint 7380XXXXXXXXXXXXXXXXXXXXXXXXX is installed in test and production and must work.
Debugging the JWT and validating it on jwt.io tells me that the signature is verified.
Is there something I'm missing?