Share via

Cannot exchange the JWT for the access token using Federated credentials / OIDC in app registration

Paul Tilbert 0 Reputation points
2025-01-24T02:11:13.3333333+00:00

Goal: Get an external app to obtain an access token based on the trust relationship and the JWT created by an external identity provider using a trial Entra ID.

Command:

az login --federated-token $TOKEN --allow-no-subscription --service-principal -u e95e158b-a72e-43b7-b6b2-6fae1af0..... -t 31d212ad-3873-449c-9738-43a9a..... --debug --verbose

Command output trace:

urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /31d212ad-3873-449c-9738-43a9a..../oauth2/v2.0/token HTTP/1.1" 401 534
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 173, in login
    subscriptions = profile.login(
                    ^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 181, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/identity.py", line 197, in login_with_service_principal
    check_result(result)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 128, in check_result
    aad_error_handler(result, **kwargs)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 53, in aad_error_handler
    raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS7000274: Key FB11D9545F23CBA38CA947641689F..... was found, but use of the key to verify the signature failed. Trace ID: daa40ed3-e9d5-4f7f-bdef-a2e2084a3c00 Correlation ID: f34b515c-44f1-47b7-9d9f-b99502fee0ee Timestamp: 2025-01-24 01:52:15Z
cli.azure.cli.core.azclierror: AADSTS7000274: Key FB11D9545F23CBA38CA947641689F..... was found, but use of the key to verify the signature failed. Trace ID: daa40ed3-e9d5-4f7f-bdef-a2e2084a3c00 Correlation ID: f34b515c-44f1-47b7-9d9f-b99502fee0ee Timestamp: 2025-01-24 01:52:15Z

There are many potential reasons for the AADSTS7000274 error. Would appreciate any pointers. In the Azure | App Registration | Manage | Certificates and Secrets, I only have the Federated credentials configured. The same external identity / app provider works with AWS OIDC so I am guessing it might be some unmet requirements for the public key that prevents the signature verification from working. But I do not know how to get the more specific information. If there is a specification / requirement list of the key used for signature verification, I can bring it to the provider for troubleshooting.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator
    2025-01-28T08:18:14.11+00:00

    Hi @Paul Tilbert
    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your description, I understand you have configured Federated identity credential. Could you please confirm you have followed this document. You can follow the below steps:

    Navigate to your app registration in the Entra Portal or Azure Portal:

    • Go to Certificates & secrets.
    • Select the Federated credentials tab.
    • Click Add credential to begin configuring the federated identity credential.

    To be more specific, please go through this link. The information that has been provided as credentials here should be provided by external provider itself.

    I have tried to fetch the command you have provided in the description but unable to find any document related to it. If you would like to fetch a token using CLI with service principle, kindly follow this link.

    If this does not help you, kindly provide the document that provided you the command specified in description along with other documents you have followed to configure the federated identity.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.