Signature validation error while doing an API call...

[Tompelo666]

Hello,

I came across this implementation and I've been trying to solve my use case using it.

My use case is simplified as follows:

1. Front end Angular application authenticates user using MSAL (OIDC)
2. Azure issues the user an ID Token and Access Token.
3. Access token is sent to DRF which is configured using this library

I've gotten pretty far already with the guides provided, mainly this one: https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html

What I'm struggling with is the access token validation. I have checked all that I can think of, but everything seems to check out configuration wise. I also tried to see past issues for clues, but didn't manage to find resolution.

What I have noticed: I'm ONLY using the OIDC v2.0 endpoints, but I can see from the access token that it is actually the VERSION 1, which would kind of explain the verification error, because it is trying to verify it against the v2.0 JWKS endpoint... I've also verified that the front-end application is also using only the v2.0 endpoints for OIDC. Currently I can't say what is forcing it to the v1.0 version...

Here is my settings.py

AUTH_ADFS = {
    "AUDIENCE": "api://e68a0282-****-****-****-***************",
    "CLIENT_ID": "e68a0282-****-****-****-***************",
    "CLIENT_SECRET": "** SECRET **",
    "USERNAME_CLAIM": 'upn',
    "TENANT_ID": "5d471751-****-****-****-***************",
    "RELYING_PARTY_ID": "api://e68a0282-****-****-****-***************",
    "PROXIES": {'http': '10.158.100.1:8080', 'https': '10.158.100.1:8080'},
    "LOGIN_EXEMPT_URLS": ['^$', '^admin', '^api'],
    "VERSION": "v2.0",
    "SCOPES": ["read", "api://e68a0282-****-****-****-***************/read"],
}

LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/"

My debug logs:

Backend fetches the OIDC config from the Azure tenant .well-known API:
==================================================

[2025-01-13 11:10:21] DEBUG config.load_config 212: Loading ID Provider configuration.
[2025-01-13 11:10:21] INFO config._load_openid_config 251: Trying to get OpenID Connect config from https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0/.well-known/openid-configuration?appid=e68a0282-****-****-****-***************
[2025-01-13 11:10:21] INFO config._load_openid_config 251: Trying to get OpenID Connect config from https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0/.well-known/openid-configuration?appid=e68a0282-****-****-****-***************
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] DEBUG config._load_keys 317: Loading public key from certificate: *** PUBLICKEY ***
[2025-01-13 11:10:22] INFO config.load_config 232: Loaded settings from ADFS server.
[2025-01-13 11:10:22] INFO config.load_config 232: Loaded settings from ADFS server.
[2025-01-13 11:10:22] INFO config.load_config 233: operating mode:         openid_connect
[2025-01-13 11:10:22] INFO config.load_config 233: operating mode:         openid_connect
[2025-01-13 11:10:22] INFO config.load_config 234: authorization endpoint: https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/authorize
[2025-01-13 11:10:22] INFO config.load_config 234: authorization endpoint: https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/authorize
[2025-01-13 11:10:22] INFO config.load_config 235: token endpoint:         https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/token
[2025-01-13 11:10:22] INFO config.load_config 235: token endpoint:         https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/token
[2025-01-13 11:10:22] INFO config.load_config 236: end session endpoint:   https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/logout
[2025-01-13 11:10:22] INFO config.load_config 236: end session endpoint:   https://login.microsoftonline.com/5d471751-****-****-****-***************/oauth2/v2.0/logout
[2025-01-13 11:10:22] INFO config.load_config 237: issuer:                 https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0
[2025-01-13 11:10:22] INFO config.load_config 237: issuer:                 https://login.microsoftonline.com/5d471751-****-****-****-***************/v2.0
[2025-01-13 11:10:22] INFO config.load_config 238: msgraph endpoint:       graph.microsoft.com
[2025-01-13 11:10:22] INFO config.load_config 238: msgraph endpoint:       graph.microsoft.com


Front-end sends request to backedn API, but access token verification fails:
==================================================================================== 

[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] DEBUG backend.process_access_token 167: Received access token: *** ACCESS TOKEN HERE ***
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] INFO backend.validate_access_token 157: Error decoding signature: Signature verification failed
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/stabilityreport/latest_builds/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/stabilityreport/latest_builds/
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50408 - "GET /api/v1/swrelease/?nested=1&report_exist HTTP/1.1" 401
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50426 - "GET /api/v1/stabilityreport/latest_builds/ HTTP/1.1" 401
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/testarea/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/testarea/
[2025-01-13 11:57:19] INFO h11_impl.send 476: 172.18.0.9:50420 - "GET /api/v1/testarea/ HTTP/1.1" 401
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/
[2025-01-13 11:57:19] WARNING log.log_response 241: Unauthorized: /api/v1/swrelease/

Any idea where I should look next?