I have already coded the Microsoft EntraID solution I am not cfml #cfml-general

I have already coded the Microsoft EntraID solutio...

gsr

08/05/2024, 5:50 AM

I have already coded the Microsoft EntraID solution. I am not using the

clientSecret

as advised by Microsoft. i am using jwt.cfc file provided by https://github.com/jcberquist/jwt-cfml Detail The passed in token does not have an algorithm declaration or its declared algorithm does not match the specified algorithms of []. ErrorCode [empty string] ExtendedInfo [empty string] Message Unsupported or invalid algorithm \jwt\jwt.cfc:103 sometimes i get an error invalid state and sometimes the above one i can share code if someone can help who has coded such thing

bkbk

08/05/2024, 1:12 PM

I used JWT some years ago. But one doesn't need to know about JWT to see at least one cause of the error: a

decode()

call without an

algorithms

argument. The JWT CFC usage page says:

Copy code

"You must specify the allowed algorithms (either as a string or an array) when calling decode(). The algorithm in the token header must match one of the allowed algorithms."

gsr

08/05/2024, 1:45 PM

So how to fix it

Matt Jones

08/05/2024, 2:46 PM

tell jwt-cfml's decode what algo to use. if you don't know which one is being sent, paste it into debugger on jwt.io and the algo should be declared in the header

gsr

08/05/2024, 3:00 PM

how can i validat

gsr

08/05/2024, 3:01 PM

i can share my code if that helps you can point me where i can do a abort to cehck for token

gsr

08/05/2024, 3:04 PM

i did something like copied validate token and got this "

Copy code

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "KQ2tAcrE7lBaVVGBmc5FobgdJo4"
}

Matt Jones

08/05/2024, 3:21 PM

your decode call should append "RS256" into the array of what it allows, if that is the only one you are going to allow, then your algorithms passed to that function can be just "RS256"

gsr

08/05/2024, 3:29 PM

this is my function public function handleCallback(required string id_token, required string state) { try { // Verify state if (state != session.authState) { return {error = "Invalid state"}; } var allowedAlgorithms = ["RS256"]; var decodedToken = variables.jwt.decode(id_token); var header = decodedToken.header; var payload = decodedToken.payload; // Log token details for debugging writeLog(text="Token Header: #serializeJSON(header)#", type="information"); writeLog(text="Token Payload: #serializeJSON(payload)#", type="information"); // Verify token var verificationResult = verifyToken(id_token, header, payload); if (!verificationResult.success) { return {error = verificationResult.error}; } // Verify nonce if (payload.nonce != session.authNonce) { return {error = "Invalid nonce"}; } return { name: payload.name, email: payload.preferred_username }; } catch (any e) { writeDump(e); abort; writeLog(text="Error in handleCallback: #e.message# - #e.detail#", type="error"); return {error = "An error occurred while processing the callback: #e.message#"}; } } public function getAuthorizationURL() { var state = createUUID(); var nonce = createUUID(); var params = { client_id = application.clientID, response_type = "id_token", redirect_uri = application.redirectURI, response_mode = "form_post", scope = "openid profile email", state = state, nonce = nonce }; session.authState = state; session.authNonce = nonce; return "https://login.microsoftonline.com/#application.tenantID#/oauth2/v2.0/authorize?" & createQueryString(params); }

Matt Jones

08/05/2024, 4:12 PM

var decodedToken = variables.jwt.decode(id_token); <--- your error message is consistent with needing to provide more stuff to decode()

gsr

08/07/2024, 3:09 PM

got it working, had to change lot but its working now, i am still wondering what can i do get the employeeID from the scope, i have openid, profile,email

4 Views

Open in Slack

Previous Next