Microsoft Entra + private_key_jwt + certificate credential: AADSTS700027 ("key was not found") on Ubuntu 24.04 / mod_auth_openidc 2.4.15.1

[gerdiedas]

Hi,

I’m trying to use mod_auth_openidc as an Apache reverse proxy in front of an internal web app (Checkmk), with Microsoft Entra ID as the OIDC provider.

Environment

• Ubuntu 24.04
• Apache 2.4 (Ubuntu package)
• mod_auth_openidc 2.4.15.1 (Ubuntu noble package)
• Entra OIDC provider metadata URL:
  https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration
• Authorization code flow with PKCE
• Token endpoint auth:
  OIDCProviderTokenEndpointAuth private_key_jwt
• Certificate uploaded in Entra app registration
• Public/private key configured locally with:
  • OIDCPublicKeyFiles
  • OIDCPrivateKeyFiles

What works

The browser-side OIDC flow appears to work correctly now:

• initial request to / gets redirected to Entra
• state cookie is set
• callback to /oidc/redirect_uri is received
• state cookie is sent back by the browser
• mod_auth_openidc successfully restores protocol state

So the problem is no longer redirect URI / callback / cookie handling.

What fails

The failure now happens during code redemption at the token endpoint.

Entra returns:

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.]

Relevant sanitized log excerpt:

oidc_proto_token_endpoint_auth: token_endpoint_auth=private_key_jwt
oidc_proto_endpoint_auth_private_key_jwt: enter

oidc_util_http_call: url=https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token

HTTP response code=401
response={"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found....]"}

The generated client_assertion header in my logs looks like this:
{"alg":"RS256","kid":""}

The payload includes the expected fields like iss, sub, aud, jti, exp, iat, and the audience is the /oauth2/v2.0/token endpoint.
However, Microsoft Entra’s certificate-credential documentation currently describes a client assertion header shape using:

alg = PS256
typ = JWT
x5t#S256 = < certificate SHA-256 thumbprint >

So my question is whether the assertion currently generated by mod_auth_openidc in this setup is still not Entra-compatible for certificate-based private_key_jwt.

Question:
Is this a known limitation / bug in mod_auth_openidc 2.4.15.1 (or in the Ubuntu-packaged build specifically)?

More concretely:
Is Microsoft Entra certificate-based private_key_jwt expected to work with current mod_auth_openidc releases?
Does a newer upstream release generate a different client assertion format for Entra (for example PS256 / x5t#S256)?
If yes, from which version should this work?
If no, is Entra certificate-based private_key_jwt currently unsupported / only partially supported in mod_auth_openidc?

Notes:
The same certificate is visible in the Entra app registration.
The certificate thumbprint matches what I expect locally.
The failure occurs only after the callback, at the token exchange step.
Company policy does not allow using a client secret, so certificate-based auth is required.

I also found the older Azure AD / private_key_jwt discussion (#762), which looks related, but I am not sure what the current status is for modern Entra + current releases.
Thanks!

[zandbelt]

looks like a duplicate of #1269, so use >= 2.4.16.4, see also the release notes at https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4

[gerdiedas]

thank you very much. sry for oversseing this.