question

CristinaHategan-2983 avatar image
0 Votes"
CristinaHategan-2983 asked KarthikeyanRamalingam-2566 edited

Microsoft graph API - which certificates are required?

Hello!

I've been working on an integration with the Microsoft Graph API, on a Java application, running on a wildfly server and most of the times, when trying to retrieve the access token, I receive the following certificates error:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target,
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The steps I follow for authorization are:
1. The authorization URL (login.microsoftonline.com/common/oauth2/v2.0/authorize) - This one works, and receive the authorization code
2. The token URL (login.microsoftonline.com/common/oauth2/v2.0/token) - This one will throw the error related to certificates.
3. In some cases, for which I did not find a pattern, the authorization and retrieving the access token works, but I will receive the certificates error when retrieving a new access token by the refresh token.

In some cases, the authorization flow works without any errors, and of course, I can also use other services provided by the API.

I've tried two ways for adding the certificates to the Java truststore:

  1. Made a call to the outside URLs: login.microsoftonline.com and graph.microsoft.com and requested the public key, for example:
    openssl s_client -connect login.microsoftonline.com:443 -showcerts -servername "login.microsoftonline.com" |openssl x509 -outform PEM
    Then I grabbed the key that was served and saved it into a .pem file locally. Then I imported the PEM into the java truststore, using keytool:
    keytool -importcert -file loginmicrosoftonline.pem -keystore truststore.jks -alias "loginmicrosoftonline"

  2. Took the certificates from chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Copy to file.." and save in format "Der-encoded binary, single certificate". This was from the following URLs: graph.microsoft.com/v1.0/ and login.microsoftonline.com. I've imported them using keytool.


My question is: what am I missing here? Is there another way I should handle the certificates?

Looking forward to hearing your answers! Thank you!





microsoft-graph-sdk
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am checking this one out, will comment back.

0 Votes 0 ·

Hello! I was wondering if you had the chance to take a closer look at this. Thank you!

0 Votes 0 ·

More details needed. It's difficult to repro this. My initial questions,

  1. While you have pasted the exception in your code, are you getting an AADSTS error as this is failing while Auth. IS it ,
    AADSTS50012 AuthenticationFailed - Authentication failed for one of the following reasons:
    The subject name of the signing certificate is not authorized
    A matching trusted authority policy was not found for the authorized subject name
    The certificate chain is not valid
    The signing certificate is not valid
    Policy is not configured on the tenant
    Thumbprint of the signing certificate is not authorized
    Client assertion contains an invalid signature

  2. What is your application architecture in terms of Identity, meaning which Auth flow are you following?
    https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows


  3. What do you see in the sign in activity?
    https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

0 Votes 0 ·
Show more comments
KleimertPekkaSEBT-9495 avatar image
0 Votes"
KleimertPekkaSEBT-9495 answered KrishnaBinyala-6924 commented

I have the exact same problem. I do several https calls to external systems requiring cert to be imported but its only when I want to fetch the oauth2 token I got the PKIX error. But the error only occurs when running in docker container. When running outside of container with same certificates installed it seems to be working.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have exact same problem. While invoking the API it works fine in local system. Only in docker container its throwing exceptions. API Invoked - https://graph.microsoft.com/v1.0/applications/

Validated that the property rightly set for trustStoreLocation and trustStorePassword in Java for RestTemplate.

0 Votes 0 ·

@KleimertPekkaSEBT-9495 did you got any solution ?

0 Votes 0 ·
CoetzeeTheunisVodacomExternal-4627 avatar image
0 Votes"
CoetzeeTheunisVodacomExternal-4627 answered KarthikeyanRamalingam-2566 edited

Hi you can export the correct certificate from this link, by using method 2 you mentioned:

https://graph.microsoft.com/.default

I had the exact same issue as you.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Installing the certificate from https://graph.microsoft.com/.default fixed the cert issues for me as well. Installed in the app server. Thanks for the info

0 Votes 0 ·