Signature verification failed, but clients should not try to inspect access tokens

[jakub-bochenski]

Version

4.5.8

Context

I'm trying to authenticate against Graph API using client credentials flow.

        OpenIDConnectAuth
            .discover(
                vertx,
                OAuth2Options()
                    .setSite("https://login.microsoftonline.com/${b2cOption.tenant()}/v2.0/.well-known/openid-configuration")
                    .setClientId(b2cOption.clientId())
                    .setClientSecret(b2cOption.clientSecret())
                    .setValidateIssuer(false)
                    .setFlow(OAuth2FlowType.CLIENT)
            )
            .coAwait()
            .run {
                this.authenticate(JsonObject().put("scopes", JsonArray(listOf("https://graph.microsoft.com/.default"))))
                    .coAwait()
                    .run { log.info { "Authenticated with B2C: $this" } }

Unfortunately it fails on:

java.lang.RuntimeException: Signature verification failed
         at io.vertx.ext.auth.impl.jose.JWT.decode(JWT.java:312)
         at io.vertx.ext.auth.impl.jose.JWT.decode(JWT.java:177)
         at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.createUser(OAuth2AuthProviderImpl.java:579)
         at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.lambda$authenticate$4(OAuth2AuthProviderImpl.java:457)

Clients should not try to inspect access tokens at all. MSFT is right in stating:

If you're a client getting a token for Graph, assume that it's an encrypted string that you should never look at

I think the offending code is this:

    // attempt to decode tokens if jwt keys are available
    if (!jwt.isUnsecure()) {
      if (json.containsKey("access_token")) {
        try {
          final JsonObject token = jwt.decode(json.getString("access_token"));

[jakub-bochenski]

In fact requiring the access token to be a JWT already breaks the specification

Access tokens do not have to be of any particular format, although there are different considerations for different options which will be discussed later in this chapter.

https://www.oauth.com/oauth2-servers/access-tokens/

[jakub-bochenski]

This is the workaround I'm using for now

        val config = OAuth2Options()
            .setSite("https://login.microsoftonline.com/${b2cOption.tenant()}/v2.0/.well-known/openid-configuration")
            .setClientId(b2cOption.clientId())
            .setClientSecret(b2cOption.clientSecret())
            .setValidateIssuer(false)
        OpenIDConnectAuth
            .discover(
                vertx,
                config
            )
            .coAwait()
            .run { // https://github.com/eclipse-vertx/vertx-auth/issues/688
                close()
                config.setJwkPath(null);
                OAuth2Auth.create(vertx, config);
            }
            .run {
                this.authenticate(JsonObject().put("scopes", JsonArray(listOf("https://graph.microsoft.com/.default"))))
                    .coAwait()
                    .run { log.info { "Authenticated with B2C: $this" } }
           }