- changed status to open
Can't parse Azure OIDC Metadata: Unencoded { and } chars in URI
Issue #460
open
By migrating from pac4hj-oauth 5.7 to 6.0.1 (use oauth2-oidcs-sdk 11.9.1), I get the following error when calling Azure OIDC Service, actually new URI() doesn't like characters such as “{ }”
Caused by: com.nimbusds.oauth2.sdk.ParseException: Illegal character in path at index 34: https://login.microsoftonline.com/{tenantid}/v2.0
at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getURI(JSONObjectUtils.java:533)
at com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata.parse(AuthorizationServerMetadata.java:1781)
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1302)
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1698)
at org.pac4j.oidc.metadata.OidcOpMetadataResolver.retrieveMetadata(OidcOpMetadataResolver.java:98)
... 99 more
Caused by: java.net.URISyntaxException: Illegal character in path at index 34: https://login.microsoftonline.com/{tenantid}/v2.0
at java.base/java.net.URI$Parser.fail(URI.java:2976) at java.base/java.net.URI$Parser.checkChars(URI.java:3147)
at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3229) at java.base/java.net.URI$Parser.parse(URI.java:3177)
at java.base/java.net.URI.<init>(URI.java:623)
at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getURI(JSONObjectUtils.java:529)
Comments (6)
-
-
- changed title to Can't parse Azure OIDC Metadata: Unencoded { and } chars in URI
Edits title
-
reporter
yes parameter “issuer”, line 1781 of the AuthorizationServerMetadata class
Issuer issuer = new Issuer(JSONObjectUtils.getURI(jsonObject, "issuer").toString());
-
I’ve run into this problem too, it seems to be unique to Microsoft’s implementation of the Azure ‘common’ flow, which is not OIDC compliant. Regrettably they don’t see a solution and are not able or planning to fix this.
Beside the non-parsable characters there’s also a mismatch on the returned issuer that prevents us from using pac4j 6 to log into Azure, which is a regression from previous versions where this worked.
There are multiple in depth descriptions about Azure’s behaviour, like here: https://github.com/MicrosoftDocs/azure-docs/issues/38545
-
We’ve had the same issue aswell when using the “common” tenant. The issue resolved itself when we used our real Tenant-ID in the URI:
- Discovery-URI for “common” Tenant, the response of this conatins {tenantid} placeholders that caused this issue (what we used first): https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
- Replace “common” in the URI with your Tenant-ID (looks like a uuid, see App Registration): https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration
- If you do this, the {tenantid} placeholders in the result are gone
-
Adrian: That’s only a solution if you know in advance which tenant you’re using. We’ve got multiple customers using different Azure domains and use the common flow to let Azure figure out the tenant the user belongs to.
- Log in to comment
Java URI implements the URI standard in RFC 2396, which requires
{and}to be escaped.https://www.rfc-editor.org/rfc/rfc2396#section-2.4.3
https://docs.oracle.com/javase/8/docs/api/java/net/URI.html
Test to capture this: 2884f471c0714ada198852992de357590e6c0a47
To work around this you may try fixing the encoding in the HTTP response before passing it to the parser. Do you know which metadata parameter gets this URI value?