OpenID 401 with Azure AD

Still seeing "Failed to contact token endpoint: Request failed" with 401 being returned by the Proxmox front end, with latest Proxmox install. I can see comms between proxmox and the endpoint occurring, but of course cannot see the response.

issuer URL:
https://login.microsoftonline.com/##/v2.0
realm: myazuredomain.com
client ID: "application ID" from Azure app
client key: "client secret" description set in Azure
username claim: username
autocreate users: Yes

Anyone have any suggestions please?
 
amf said:
Still seeing "Failed to contact token endpoint: Request failed" with 401 being returned by the Proxmox front end, with latest Proxmox install. I can see comms between proxmox and the endpoint occurring, but of course cannot see the response.

issuer URL:
https://login.microsoftonline.com/##/v2.0
realm: myazuredomain.com
client ID: "application ID" from Azure app
client key: "client secret" description set in Azure
username claim: username
autocreate users: Yes

Anyone have any suggestions please?
Click to expand...
issue continues to exists. I guess no one here has any idea whats going on!
 
amf said:
Still seeing "Failed to contact token endpoint: Request failed" with 401 being returned by the Proxmox front end, with latest Proxmox install. I can see comms between proxmox and the endpoint occurring, but of course cannot see the response.

issuer URL:
https://login.microsoftonline.com/##/v2.0
realm: myazuredomain.com
client ID: "application ID" from Azure app
client key: "client secret" description set in Azure
username claim: username
autocreate users: Yes

Anyone have any suggestions please?
Click to expand...
What does your log says when you try to log in and receive an error?

I assume you have the last version of Proxmox libraries and rebooted afterwards, right?


1687819736646.png
 
ondrejvalenta said:
What does your log says when you try to log in and receive an error?

I assume you have the last version of Proxmox libraries and rebooted afterwards, right?


View attachment 52211
Click to expand...
Syslog says:
Code: 
pvedaemon[1666035]: openid authentication failure; rhost=::ffff:<ipv4 of client> msg=Failed to contact token endpoint: Request failed

This is actually a fresh deployment, so everything is bang up-to-date.
 
Revisiting this with a fresh head and starting from scratch has resulted in it now working. Clearly something was amiss but since it was re-implemented from scratch unfortunately I can't say what. Thanks for the help in any case.
 
  • Like
Reactions: ondrejvalenta
Glad you got it working!

A colleague had a wrong client key on Friday which resulted in the same error.
And I copied the client key ID instead of the actual client key in the past when setting up Azure.
 
  • Like
Reactions: ondrejvalenta
I have also just seen this issue when configuring Authentik OIDC with PVE. My issue turned out to be special characters in the client secret. Once I switched to a client secret with only alphanumeric characters, the login worked successfully.

I am not sure which character was the culprit and am out of time to further troubleshoot, but it was one of: ^ $ % or @.
 
  • Like
Reactions: scyto
Same issue with ProxMox 8.3.2 and the latest Authentik... It used to work, but stop working.

libpve-rs-perl 0.9.1

Looks like the problem is because of the Nginx Proxy Manager. I able to authenticate if I login directly on the host
 
Last edited:
veo said:
Same issue with ProxMox 8.3.2 and the latest Authentik... It used to work, but stop working.

libpve-rs-perl 0.9.1

Looks like the problem is because of the Nginx Proxy Manager. I able to authenticate if I login directly on the host
Click to expand...

Same issue here. ProxMox 8.3.2, libpve-rs-perl 0.9.1, latest authentik

I'm not using any proxy and it still does not work. Did you managed to solve this?
 
anss said:
Same issue here. ProxMox 8.3.2, libpve-rs-perl 0.9.1, latest authentik

I'm not using any proxy and it still does not work. Did you managed to solve this?
Click to expand...
Can you provide the full error you get?
And the resulting logs in the journal of the failed login would be good to have as well.
 
Sure, there is nothing in the logs except a log-in using credentials, the openID fail and then log-in again with credentials

an 22 14:05:23 pve pvedaemon[1665]: <root@pam> successful auth for user 'root@pam'
Jan 22 14:05:32 pve pvedaemon[1667]: <root@pam> successful auth for user 'root@pam'
Jan 22 14:11:38 pve pvedaemon[1665]: openid authentication failure; rhost=::ffff:x.x.x.x msg=Failed to contact token endpoint: Failed to parse server response
Jan 22 14:11:51 pve pvedaemon[1666]: <root@pam> successful auth for user 'root@pam'
Jan 22 14:12:09 pve pvedaemon[1665]: <root@pam> successful auth for user 'root@pam'
Click to expand...

Let me know if any other logs helps
 
anss said:
Sure, there is nothing in the logs except a log-in using credentials, the openID fail and then log-in again with credentials



Let me know if any other logs helps
Click to expand...
I have encountered same issue as you. After looking up Authentik Logs, it said that ProMox OpenID client could recongize RSA instead of EC keys. And this issue was solved by using another RSA keys. Hopefully that could solve your problem.
However, I have encountered another issue. While Authentik logged that it has already authorized to ProMox Daemon(or probably something else), ProMox daemon still stuck at OpenID failed(401), with log:
Code: 
Jan 24 12:49:09 pvedaemon[214662]: openid authentication failure; rhost=<ip> msg=Failed to contact token endpoint: Failed to parse server response
Digging seems to be necessary, but I have no idea about how to do next.
 
SatyrLee said:
I have encountered same issue as you. After looking up Authentik Logs, it said that ProMox OpenID client could recongize RSA instead of EC keys. And this issue was solved by using another RSA keys. Hopefully that could solve your problem.
However, I have encountered another issue. While Authentik logged that it has already authorized to ProMox Daemon(or probably something else), ProMox daemon still stuck at OpenID failed(401), with log:
Code: 
Jan 24 12:49:09 pvedaemon[214662]: openid authentication failure; rhost=<ip> msg=Failed to contact token endpoint: Failed to parse server response
Digging seems to be necessary, but I have no idea about how to do next.
Click to expand...
Thank you for the information! I'll see if I can reproduce it with this information.
 
SatyrLee said:
I have encountered same issue as you. After looking up Authentik Logs, it said that ProMox OpenID client could recongize RSA instead of EC keys. And this issue was solved by using another RSA keys. Hopefully that could solve your problem.
However, I have encountered another issue. While Authentik logged that it has already authorized to ProMox Daemon(or probably something else), ProMox daemon still stuck at OpenID failed(401), with log:
Code: 
Jan 24 12:49:09 pvedaemon[214662]: openid authentication failure; rhost=<ip> msg=Failed to contact token endpoint: Failed to parse server response
Digging seems to be necessary, but I have no idea about how to do next.
Click to expand...

I did found the same two messages in authentik logs. First one lead to HTTP 500 and second one to HTTP 401

Last lines of authentik logs shows that proxmox in fact reach out to /tokens api, looks like the response JSON is not in a format proxmox expects (maybe missing some field?)

Code: 
 auth_via=unauthenticated domain_url=<authentik url> event=/application/o/proxmox/.well-known/openid-configuration host=<authentik url> logger=authentik.asgi method=GET pid=51048 remote=<pve IP> request_id=89a766***1b0 runtime=520 schema_name=public scheme=https status=200 timestamp=2025-01-25T17:14:30.795668 user= user_agent=ureq/2.10.0

auth_via=unauthenticated domain_url=<authentik url> event=/application/o/proxmox/jwks/ host=<authentik url> logger=authentik.asgi method=GET pid=51048 remote=<pve IP> request_id=58f57***25e runtime=895 schema_name=public scheme=https status=200 timestamp=2025-01-25T17:14:31.940522 user= user_agent=ureq/2.10.0

auth_via=oauth_client_secret domain_url=<authentik url> event=/application/o/token/ host=<authentik url> logger=authentik.asgi method=POST pid=51048 remote=<pve IP> request_id=67630c***37d runtime=577 schema_name=public scheme=https status=200 timestamp=2025-01-25T17:14:32.766922 user= user_agent=ureq/2.10.0
 
SatyrLee said:
I have encountered same issue as you. After looking up Authentik Logs, it said that ProMox OpenID client could recongize RSA instead of EC keys. And this issue was solved by using another RSA keys. Hopefully that could solve your problem.
However, I have encountered another issue. While Authentik logged that it has already authorized to ProMox Daemon(or probably something else), ProMox daemon still stuck at OpenID failed(401), with log:
Code: 
Jan 24 12:49:09 pvedaemon[214662]: openid authentication failure; rhost=<ip> msg=Failed to contact token endpoint: Failed to parse server response
Digging seems to be necessary, but I have no idea about how to do next.
Click to expand...
Where exactly did you create those keys, and where do you use them?

Did any of you set an encryption key for tokens?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom