OIDC Authentication with ADFS

[Grunt]

I'm trying to configure OIDC authentication to go through Server 2022 ADFS. Following a few guides out there about different products, I've stitched together a configuration that seems to be about 90% complete. Currently, I get the error OpenID login failed, please try again authentication failure (401) in the WebUI and
pvedaemon[3108070]: openid authentication failure; rhost=192.168.1.194 msg=Failed to contact userinfo endpoint: Request failed is logged in syslog.

Any ideas where I'm wrong or next steps on troubleshooting this? I tried starting pvedaemon with --debug 0, but it didn't seem to do anything.


OIDC Configuration

openid: OIDC
        client-id xxxxxxxxxxxxxx
        issuer-url https://adfs.contoso.net/adfs
        autocreate 1
        client-key xxxxxxxxxxxxxxx
        default 0
        username-claim email

ADFS Server Application


ADFS Web Server API



ADFS Issuance Transform Rules

 

[mira]

There's another thread where people had issues with ADFS 2019: https://forum.proxmox.com/threads/openid-and-adfs-2019-server.110350/post-475128

But if it's not the same issue, do you see the OpenID configuration when appending /.well-known/openid-configuration to the issuer URL?

 

[Grunt]

There's another thread where people had issues with ADFS 2019: https://forum.proxmox.com/threads/openid-and-adfs-2019-server.110350/post-475128

But if it's not the same issue, do you see the OpenID configuration when appending /.well-known/openid-configuration to the issuer URL?

Thanks, I DID see that and I am seeing similar results, but they say they got it to work using the settings they have pictured. I haven't had that kind of luck. I can get to https://adfs.contoso.net/adfs/.well-known/openid-configuration which is shown below. I pretty printed it as it is returned as a long brick of text.

{
    "issuer":"https:\/\/adfs.contoso.net\/adfs",
    "authorization_endpoint":"https:\/\/adfs.contoso.net\/adfs\/oauth2\/authorize\/",
    "token_endpoint":"https:\/\/adfs.contoso.net\/adfs\/oauth2\/token\/",
    "jwks_uri":"https:\/\/adfs.contoso.net\/adfs\/discovery\/keys",
    "token_endpoint_auth_methods_supported":[
        "client_secret_post",
        "client_secret_basic",
        "private_key_jwt",
        "windows_client_authentication"
    ],
    "response_types_supported":[
        "code",
        "id_token",
        "code id_token",
        "id_token token",
        "code token",
        "code id_token token"
    ],
    "response_modes_supported":[
        "query",
        "fragment",
        "form_post"
    ],
    "grant_types_supported":[
        "authorization_code",
        "refresh_token",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "implicit",
        "password",
        "srv_challenge",
        "urn:ietf:params:oauth:grant-type:device_code",
        "device_code"
    ],
    "subject_types_supported":[
        "pairwise"
    ],
    "scopes_supported":[
        "winhello_cert",
        "openid",
        "user_impersonation",
        "vpn_cert",
        "email",
        "profile",
        "allatclaims",
        "logon_cert",
        "aza"
    ],
    "id_token_signing_alg_values_supported":[
        "RS256"
    ],
    "token_endpoint_auth_signing_alg_values_supported":[
        "RS256"
    ],
    "access_token_issuer":"http:\/\/adfs.contoso.net\/adfs\/services\/trust",
    "claims_supported":[
        "aud",
        "iss",
        "iat",
        "exp",
        "auth_time",
        "nonce",
        "at_hash",
        "c_hash",
        "sub",
        "upn",
        "unique_name",
    "pwd_url",
        "pwd_exp",
        "mfa_auth_time",
        "sid",
        "nbf"
    ],
    "microsoft_multi_refresh_token":true,
    "userinfo_endpoint":"https:\/\/adfs.contoso.net\/adfs\/userinfo",
    "capabilities":[
        "kdf_ver2"
    ],
    "end_session_endpoint":"https:\/\/adfs.contoso.net\/adfs\/oauth2\/logout",
    "as_access_token_token_binding_supported":true,
    "as_refresh_token_token_binding_supported":true,
    "resource_access_token_token_binding_supported":true,
    "op_id_token_token_binding_supported":true,
    "rp_id_token_token_binding_supported":true,
    "frontchannel_logout_supported":true,
    "frontchannel_logout_session_supported":true,
    "device_authorization_endpoint":"https:\/\/adfs.contoso.net\/adfs\/oauth2\/devicecode"
}

 

[mira]

I'll have to check the specification to see if requiring that resource parameter is allowed, optional or should not be done. But based on the Microsoft thread that's linked in the other thread, it seems to be that Microsoft requires something strange when using `Web API`.

 

[tls4]

Were you ever able to solve this problem? We are running into the same issue here with ADFS and OIDC.

 

[otghcloud]

I'm also having the same issue with OpenID / ADFS and have tried a bunch of different configs from the forums here.
Seems like there's a good demand for this so hopefully we'll be able to get this resolved!

Lee

 

[tls4]

As a workaround we ended up standing up a keycloak server in between ADFS and Proxmox. It would still be nice to have this natively supported in Proxmox though. And to have group mapping from the OIDC.

 

[tls4]

I have submitted a patch request for this issue, bug 4234 (https://bugzilla.proxmox.com/show_bug.cgi?id=4234), that will prevent failure of login if the request to the userinfo endpoint fails. Waiting for mod approval on the mailing list.

 

[tomatoschewps]

Hi @tls4, any news on your patch request ?
Same problem here, we use ADFS as IdP and for now I stumbled on the 401 error ...