OpenID 401 with Azure AD

monetin

New Member
Mar 2, 2022
3
0
1
40
Hello,
I recently upgraded to Proxmox VE 7.1-10 and am now receiving a 401 error when authenticating with Azure AD OpenID:
1646260169766.png

I am redirected to Microsoft and the Azure AD logs state that the authentication was successful. However, I cannot log in. This seems to be restricted to Azure AD as I have another instance using Keycloak and I can log in fine. I can only see the following line in /var/log/syslog:

pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed

Is there any other place where logs are stored and do you have any ideas what might be going on?

Thanks!
 
It seems the issue is connected to certain configurations.
Would it be possible to provide the .well-known/openid-configuration for your setup?

You can get it by combining the issuer with .well-known/openid-configuration.
 
Another question, do you have a proxy configured in the datacenter configuration?
 
Hi Mira,
I've attached the .well-known/openid-configuration. We do not have anything configured under "HTTP Proxy".

Hope this helps,
David
 

Attachments

  • openid-configuration.txt
    1.5 KB · Views: 41
Thanks for the configuration.

So the issue is not with missing proxy support then.
 
Hi,
We have the same problem with Azure AD.

The workaround with downgrading libpve-rs-perl to 0.5.0 did help.
But this is no longer possible because then too many packages where removed:

Code:
apt install libpve-rs-perl=0.5.0
The following packages were automatically installed and are no longer required:
  ceph-fuse ebtables fonts-glyphicons-halflings genisoimage idn javascript-common libfuse3-3 libjs-bootstrap libjs-jquery libjs-qrcodejs libnetaddr-ip-perl libposix-strptime-perl libproxmox-acme-plugins libpve-apiclient-perl libpve-u2f-server-perl libqrencode4 libtpms0
  libu2f-server0 libyaml-0-2 libyaml-libyaml-perl proxmox-archive-keyring proxmox-backup-client proxmox-backup-file-restore proxmox-backup-restore-image proxmox-mini-journalreader proxmox-websocket-tunnel proxmox-widget-toolkit pve-edk2-firmware pve-i18n
  pve-kernel-helper pve-lxc-syscalld qrencode swtpm swtpm-libs swtpm-tools zstd
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  libproxmox-acme-perl libproxmox-rs-perl libpve-access-control libpve-cluster-api-perl libpve-cluster-perl libpve-common-perl libpve-guest-common-perl libpve-http-server-perl libpve-storage-perl librados2-perl proxmox-ve pve-cluster pve-container pve-firewall
  pve-ha-manager pve-manager qemu-server
The following packages will be DOWNGRADED:
  libpve-rs-perl
0 upgraded, 0 newly installed, 1 downgraded, 17 to remove and 0 not upgraded.
 
Thank you for letting us know.
Could you provide the following 3 entries of your .well-known/openid-configuration?
issuer, jwks_uri and token_endpoint

The important part is the structure, including any `oauth2` and other non-sensitive parts.

If you don't mind, the complete .well-known/openid-configuration would be even better.
 
Thank you for letting us know.
Could you provide the following 3 entries of your .well-known/openid-configuration?
issuer, jwks_uri and token_endpoint

The important part is the structure, including any `oauth2` and other non-sensitive parts.

If you don't mind, the complete .well-known/openid-configuration would be even better.
Thanks for the fast reply.
Here the openid-configuration.txt with the removed Tenand Id:
 

Attachments

  • openid-configuration.txt
    1.5 KB · Views: 15
Yep, you would have to install all dependencies from the `devel` repo: deb http://download.proxmox.com/debian/devel bullseye main
Then build proxmox-openid-rs, install it and then build libpve-rs-perl.

If you already have libpve-rs-perl 0.6.0 installed, it is rather difficult to downgrade to 0.5.0, as it involves pve-manager, libpve-common-perl and some other dependencies. You could still try manually downgrading though.
If you plan on doing so, then start with apt install libpve-rs-perl=0.5.0, it should show you a dependency conflict. From there, downgrade those packages to older versions and so on.
 
A new version of libpve-rs-perl (0.6.1) is available on the pvetest repository: http://download.proxmox.com/debian/pve/dists/bullseye/pvetest/binary-amd64/

This should fix the issue.
Hi Mira,

i just installed this version on one of my non-subscription hosts, i restarted pvepoxy (dont know if required) but AzureAD still fails with 401. Autocreate is on so this should work.

--2022-04-20 11:24:24-- http://download.proxmox.com/debian/...t/binary-amd64/libpve-rs-perl_0.6.1_amd64.deb
...
# dpk -i dpkg -i libpve-rs-perl_0.6.1_amd64.deb
(Reading database ... 119486 files and directories currently installed.)
Preparing to unpack libpve-rs-perl_0.6.1_amd64.deb ...
Unpacking libpve-rs-perl (0.6.1) over (0.6.0) ...
Setting up libpve-rs-perl (0.6.1) ...
Processing triggers for pve-ha-manager (3.3-3) ...
Processing triggers for pve-manager (7.1-12) ...
...
systemctl restart pveproxy
...

Scope is: email profile
For Username claim i tested "username" and in another try "email", makes no difference, still 401.

Do i need to restart the whole node? is there any way to debug this issue? i cant find anything in the logs.
 
No, it should work directly after installing it.
What error do you see in the journal when trying to connect?

Code:
pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed
`Failed to contact token endpoint` or something else?
 
No, it should work directly after installing it.
What error do you see in the journal when trying to connect?

Code:
pvedaemon[137919]: openid authentication failure; rhost=<redacted> msg=Failed to contact token endpoint: Request failed
`Failed to contact token endpoint` or something else?

ah yes, and i fixed it. Error on my side. i reconfigured it and used key id and not secret for the secret. It works now.

Thank you.

Ps. Works on both, PVE and PBS.
 
Last edited:
  • Like
Reactions: mira
Its fixed but we now have a new problem,

Code:
OpenID login Failed, please try againn
Parameter verification failed. (400)

code: value may only be 1024 characters long.
 
I had the same issue when testing Azure AD and using the client secret ID instead of the actual client secret.
Make sure you have configured the secret, not its ID.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!