OpenID 401 with Azure AD

[monetin]

Hello,
I recently upgraded to Proxmox VE 7.1-10 and am now receiving a 401 error when authenticating with Azure AD OpenID:


I am redirected to Microsoft and the Azure AD logs state that the authentication was successful. However, I cannot log in. This seems to be restricted to Azure AD as I have another instance using Keycloak and I can log in fine. I can only see the following line in /var/log/syslog:

pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed

Is there any other place where logs are stored and do you have any ideas what might be going on?

Thanks!

 

[mira]

This might be a similar issue as in https://bugzilla.proxmox.com/show_bug.cgi?id=3916
The issue in the bug tracker is with lemonldap-ng.

Could you try downgrading libpve-rs-perl to version 0.5.0?

 

[monetin]

Hi Mira,
I can confirm that that has fixed the issue.

Thanks!

 

[mira]

It seems the issue is connected to certain configurations.
Would it be possible to provide the .well-known/openid-configuration for your setup?

You can get it by combining the issuer with .well-known/openid-configuration.

 

[mira]

Another question, do you have a proxy configured in the datacenter configuration?

 

[monetin]

Hi Mira,
I've attached the .well-known/openid-configuration. We do not have anything configured under "HTTP Proxy".

Hope this helps,
David

 

[mira]

Thanks for the configuration.

So the issue is not with missing proxy support then.

 

[ivy-cst]

Hi,
We have the same problem with Azure AD.

The workaround with downgrading libpve-rs-perl to 0.5.0 did help.
But this is no longer possible because then too many packages where removed:

apt install libpve-rs-perl=0.5.0
The following packages were automatically installed and are no longer required:
  ceph-fuse ebtables fonts-glyphicons-halflings genisoimage idn javascript-common libfuse3-3 libjs-bootstrap libjs-jquery libjs-qrcodejs libnetaddr-ip-perl libposix-strptime-perl libproxmox-acme-plugins libpve-apiclient-perl libpve-u2f-server-perl libqrencode4 libtpms0
  libu2f-server0 libyaml-0-2 libyaml-libyaml-perl proxmox-archive-keyring proxmox-backup-client proxmox-backup-file-restore proxmox-backup-restore-image proxmox-mini-journalreader proxmox-websocket-tunnel proxmox-widget-toolkit pve-edk2-firmware pve-i18n
  pve-kernel-helper pve-lxc-syscalld qrencode swtpm swtpm-libs swtpm-tools zstd
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  libproxmox-acme-perl libproxmox-rs-perl libpve-access-control libpve-cluster-api-perl libpve-cluster-perl libpve-common-perl libpve-guest-common-perl libpve-http-server-perl libpve-storage-perl librados2-perl proxmox-ve pve-cluster pve-container pve-firewall
  pve-ha-manager pve-manager qemu-server
The following packages will be DOWNGRADED:
  libpve-rs-perl
0 upgraded, 0 newly installed, 1 downgraded, 17 to remove and 0 not upgraded.

 

[mira]

Thank you for letting us know.
Could you provide the following 3 entries of your .well-known/openid-configuration?
issuer, jwks_uri and token_endpoint

The important part is the structure, including any `oauth2` and other non-sensitive parts.

If you don't mind, the complete .well-known/openid-configuration would be even better.

 

[ivy-cst]

Thank you for letting us know.
Could you provide the following 3 entries of your .well-known/openid-configuration?
issuer, jwks_uri and token_endpoint

The important part is the structure, including any `oauth2` and other non-sensitive parts.

If you don't mind, the complete .well-known/openid-configuration would be even better.

Thanks for the fast reply.
Here the openid-configuration.txt with the removed Tenand Id:

 

[mira]

Thank you all for providing all that information.
We figured out the reason why it fails with the newer version. We send every request with Transfer-Encoding: chunked which is not accepted by the Azure Token Endpoint. A patch [0] to fix this has been sent to the pve-devel mailing list and is awaiting review.

This might also fix https://bugzilla.proxmox.com/show_bug.cgi?id=3916


[0]https://lists.proxmox.com/pipermail/pve-devel/2022-March/052388.html

 

[kelhamtech]

Hello,

Is there a functional workaround for PVE 7.1-11 until a patch is released?

Regards,
Matt.

 

[talos]

Hello,

Is there a functional workaround for PVE 7.1-11 until a patch is released?

Regards,
Matt.

Patch suffix looks like rust, i think without a full pve development environment we cant to anything with that diff by ourself because rust stuff has to be compiled.

 

[mira]

Yep, you would have to install all dependencies from the `devel` repo: deb http://download.proxmox.com/debian/devel bullseye main
Then build proxmox-openid-rs, install it and then build libpve-rs-perl.

If you already have libpve-rs-perl 0.6.0 installed, it is rather difficult to downgrade to 0.5.0, as it involves pve-manager, libpve-common-perl and some other dependencies. You could still try manually downgrading though.
If you plan on doing so, then start with apt install libpve-rs-perl=0.5.0, it should show you a dependency conflict. From there, downgrade those packages to older versions and so on.

 

[mira]

A new version of libpve-rs-perl (0.6.1) is available on the pvetest repository: http://download.proxmox.com/debian/pve/dists/bullseye/pvetest/binary-amd64/

This should fix the issue.

 

[talos]

A new version of libpve-rs-perl (0.6.1) is available on the pvetest repository: http://download.proxmox.com/debian/pve/dists/bullseye/pvetest/binary-amd64/

This should fix the issue.

Hi Mira,

i just installed this version on one of my non-subscription hosts, i restarted pvepoxy (dont know if required) but AzureAD still fails with 401. Autocreate is on so this should work.

--2022-04-20 11:24:24-- http://download.proxmox.com/debian/...t/binary-amd64/libpve-rs-perl_0.6.1_amd64.deb
...
# dpk -i dpkg -i libpve-rs-perl_0.6.1_amd64.deb
(Reading database ... 119486 files and directories currently installed.)
Preparing to unpack libpve-rs-perl_0.6.1_amd64.deb ...
Unpacking libpve-rs-perl (0.6.1) over (0.6.0) ...
Setting up libpve-rs-perl (0.6.1) ...
Processing triggers for pve-ha-manager (3.3-3) ...
Processing triggers for pve-manager (7.1-12) ...
...
systemctl restart pveproxy
...

Scope is: email profile
For Username claim i tested "username" and in another try "email", makes no difference, still 401.

Do i need to restart the whole node? is there any way to debug this issue? i cant find anything in the logs.

 

[mira]

No, it should work directly after installing it.
What error do you see in the journal when trying to connect?

pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed

`Failed to contact token endpoint` or something else?

 

[talos]

No, it should work directly after installing it.
What error do you see in the journal when trying to connect?

pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed

`Failed to contact token endpoint` or something else?

ah yes, and i fixed it. Error on my side. i reconfigured it and used key id and not secret for the secret. It works now.

Thank you.

Ps. Works on both, PVE and PBS.

 

[daros]

Its fixed but we now have a new problem,

OpenID login Failed, please try againn
Parameter verification failed. (400)

code: value may only be 1024 characters long.

 

[mira]

I had the same issue when testing Azure AD and using the client secret ID instead of the actual client secret.
Make sure you have configured the secret, not its ID.