Share via

TeamCity integration with azure AD, AD not sending name and oid claims in JWT token, and claims not to be configured optionally in azure ad

Kevin Overmars 21 Reputation points
2020-09-16T06:55:43.053+00:00

Hi,
I have a teamcity instance that uses a plugin to connect to azure AD. Everything is configured and it should work. The JWT token is created by Azure AD and uses the information configured in the App Registration in Azure AD for the TeamCity SP.
There is one little problem though, the JWT token is missing 2 essential claims (name and oid).
I read all the documentation regarding these claims and I understand there are optional ones I can configure, but I also understand that by using OATH 2.0 V2 and also specifying access and consent to the Microsoft Graph profile for the app registration, the token should include these claims by Default.

However I am getting the following Error from the plugin of team city.

400 Some of required claims were not found in parsed JWT.
nonce - eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiI1NTY2NmVlYS05NmYxLTQ3OGEtOTRmZS00MDlkZDVmZGI1ZGIiLCJleHAiOjE2MDAyMzg3NzYsImlhdCI6MTYwMDIzODQ3Niwic2FsdCI6InFaRGZlSWU0OGdsMXBKLWXXXXXXXXXXXXXXXXXX28wdnNkSmIxQ3kyLWxUWk9CSXkySE9BSUVQcXgyTGZlOGlBMmtQRDdiM0FBN2xyRlVWYm5UZXFFRTAwd3JGbXlBIn0.tumSwJATXLQdhglnkWf1t5E-zBGUHCSFPt0-J_bNJ27qNFSLRGiusAatYZnfPqA-otC-vyL9sVMgiiTHbyOSl0NapEBx4dMqeo_XXXXXXWnwGM9UzZ2dLlhPVYuFDEhb1cuCnZOcnrS57Jjra1bpVhFykFmnpAcVokuEveXC3WCXHkjaV0njRpmxuEJ-PtB644QrI7i2myKl678KvgnWdl-2aEcZ8hhaeNzSIM3VsRtx__QW7-d7G-0Mf-N6QYWvR9K4-aHJoFt95lPK9qb589bqHeGQEu3dczHfYcOpgkTWMM3i2RpYDrAKAfswxusu5FN4EZ55nEeCsrjvlheCWog;
name - null,

oid - null

(I changed the nonce :-))

I checked the code and also grabbed the JWT from the header in the call to the plugin and added it in a JWT viewer on the web.
The JWT token indeed does not contain these claims.

As I don't see anyone having the same issue I wonder whether there is something I am missing in the configuration of my APP registration of teamcity.

For completeness here is the manifest xml of the app registration (again I obfuscated some guids and URLS)

{
"id": "5795d0e0-9d83-4850-8761-XXXXXXXXX",
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": null,
"appId": "0130c151-7add-4133-a2a5-XXXXXXXXX",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-09-14T08:53:31Z",
"groupMembershipClaims": "None",
"identifierUris": [
"api://0130c151-7add-4133-a2a5-XXXXXXXXX"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": "https://TEAMCITYBASEURL/logout.html",
"name": "TeamCity",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "OURDOMAIN",
"replyUrlsWithType": [
{
"url": "https://TEAMCITYBASEURL/overview.html",
"type": "Web"
},
{
"url": "https://TEAMCITYBASEURL/login.html",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "64a6cdd6-aab1-4aaf-94b8-XXXXXXXXX",
"type": "Scope"
},
{
"id": "14dad69e-099b-42c9-810b-XXXXXXXXX",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-XXXXXXXXX",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-XXXXXXXXX",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": "https://TEAMCITYBASEURL/login.html",
"signInAudience": "AzureADMyOrg",
"tags": [
"notApiConsumer",
"webApp"
],
"tokenEncryptionKeyId": null
}

Can somebody please help me understand what I am missing here?

With kind regards
Kevin Overmars

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator
    2020-09-18T09:53:55.06+00:00

    @Kevin Overmars , Thank you for sharing the details. I checked the .har file and I see that it only has an Id_token in it. The issued id_token is of type v2.0 as I believe when the request was made to get the token to the token endpoint was made to the v2.0 token endpoint i.e https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

    If you make a request to v2.0 endpoint of AAD while using the OpenIDConnect or OAuth, the Id-Token that gets issued would be a v2.0 token. The properties that you are looking for i.e "name" and "oid" would be available in a v1.0 Id-Token.

    You can check and decode the following two Id-Tokens using the tool JWT.ms to understand the difference:

    V1.0 Id-Token: 

    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyIsImtpZCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyJ9.eyJhdWQiOiJiMTRhNzUwNS05NmU5LTQ5MjctOTFlOC0wNjAxZDBmYzljYWEiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkvIiwiaWF0IjoxNTM2Mjc1MTI0LCJuYmYiOjE1MzYyNzUxMjQsImV4cCI6MTUzNjI3OTAyNCwiYWlvIjoiQVhRQWkvOElBQUFBcXhzdUIrUjREMnJGUXFPRVRPNFlkWGJMRDlrWjh4ZlhhZGVBTTBRMk5rTlQ1aXpmZzN1d2JXU1hodVNTajZVVDVoeTJENldxQXBCNWpLQTZaZ1o5ay9TVTI3dVY5Y2V0WGZMT3RwTnR0Z2s1RGNCdGsrTExzdHovSmcrZ1lSbXY5YlVVNFhscGhUYzZDODZKbWoxRkN3PT0iLCJhbXIiOlsicnNhIl0sImVtYWlsIjoiYWJlbGlAbWljcm9zb2Z0LmNvbSIsImZhbWlseV9uYW1lIjoiTGluY29sbiIsImdpdmVuX25hbWUiOiJBYmUiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaXBhZGRyIjoiMTMxLjEwNy4yMjIuMjIiLCJuYW1lIjoiYWJlbGkiLCJub25jZSI6IjEyMzUyMyIsIm9pZCI6IjA1ODMzYjZiLWFhMWQtNDJkNC05ZWMwLTFiMmJiOTE5NDQzOCIsInJoIjoiSSIsInN1YiI6IjVfSjlyU3NzOC1qdnRfSWN1NnVlUk5MOHhYYjhMRjRGc2dfS29vQzJSSlEiLCJ0aWQiOiJmYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkiLCJ1bmlxdWVfbmFtZSI6IkFiZUxpQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJMeGVfNDZHcVRrT3BHU2ZUbG40RUFBIiwidmVyIjoiMS4wIn0=.UJQrCA6qn2bXq57qzGX_-D3HcPHqBMOKDPx4su1yKRLNErVD8xkxJLNLVRdASHqEcpyDctbdHccu6DPpkq5f0ibcaQFhejQNcABidJCTz0Bb2AbdUCTqAzdt9pdgQvMBnVH1xk3SCM6d4BbT4BkLLj10ZLasX7vRknaSjE_C5DI7Fg4WrZPwOhII1dB0HEZ_qpNaYXEiy-o94UJ94zCr07GgrqMsfYQqFR7kn-mn68AjvLcgwSfZvyR_yIK75S_K37vC3QryQ7cNoafDe9upql_6pB2ybMVlgWPs_DmbJ8g0om-sPlwyn74Cc1tW3ze-Xptw_2uVdPgWyqfuWAfq6Q

    V2.0 Id-Token: 

    eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw

    More details can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens

    Also, would like to state that this Id_Token is not the same as the Access_Token. The Id-Token is just used to prove that the user is authenticated by a reliable source like AAD, whereas an Access-Token is used to make the actual APIs calls for the resources that are protected by AAD. The Access-Tokens mostly contains the permissions that the user/application, trying to call/access the AAD Protected resource mentioned while getting itself authenticated to AAD and fetching the token.

    Summary:
    For getting the properties like "name" and "oid" in the Id-Token, you need to make a call to the token-endpoint using the Auth-Code Grant flow of OAuth or OpenIDConnect protocol to the AAD's v1.0 endpoint in order to receive a v1.0 id-token.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kevin Overmars 21 Reputation points
    2020-09-21T07:24:57.79+00:00

    Thank you for providing this information. I tested the V1 token URL and everything is working fine.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.