cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Error getting token via AzureAD and step cli

Open ekarlso opened this issue 5 years ago • 4 comments

Subject of the issue

Describe your issue here.

Can't get token from Azure via step oauth

Your environment

Ubuntu 20.10

Steps to reproduce

  1. Setup a Appreg and give and grant via admin for tenant
  2. run step oauth --jwt --provider https://login.microsoftonline.com/mytenant.com --client-id xx --listen localhost:10000 --oidc -e [email protected]

Expected behaviour

Should get a token back

Actual behaviour

Failure
Failed exchanging authorization code: invalid_client. AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID:xx  Correlation ID: xx Timestamp: 2020-11-25 22:17:10Z```

### Additional context
Add any other context about the problem here.

ekarlso avatar Nov 25 '20 22:11 ekarlso

It looks to me that the problem is that you need to set up a client secret in azure and pass it using --client-secret yyy.

The usual method to create a client secret in azure is going to "Azure Active Directory" -> "App registrations" -> "Your app" -> "Certificates & secrets" -> "+ New client secret"

maraino avatar Dec 05 '20 00:12 maraino

I tried passing --client-secret as well but then I get Failed exchanging authorization code: json: cannot unmarshal string into Go struct field token.expires_in of type int

ekarlso avatar Jan 05 '21 14:01 ekarlso

That error is because the JSON response that we get has the "expires_in" parameter as a string instead of an integer. In your case you are getting something like:

{
    "token_type": "Bearer",
    "scope": "email openid profile",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "access_token": "....",
    "id_token": "..."
}

What I get from an azure app is something like:

{
    "token_type": "Bearer",
    "scope": "email openid profile",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "....",
    "id_token": "..."
}

In fact, even Azure docs show examples using integers, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1

Do you get the same if instead of using the --jwt parameter you just use --oidc:

step oauth --oidc \
  --provider https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration \
  --client-id <client-id> --client-secret <client-secret>

To get just the OIDC token you can also add --bare to the above command. Try to add the v2.0 in the provider URL too.

maraino avatar Jan 05 '21 19:01 maraino