[SOLVED] OpenID redirect failed. Validation error: unexpected issuer URI

[omen]

My workplace has used CAS for web SSO for many, many years now. In they last couple years they added OIDC, but they added the discovery URL down a couple levels from the top: /cas/oidc/.well-known/openid-configuration. I put https://cas.ucdavis.edu/cas/oidc in for the issuer URL, but I get the error below:

OpenID redirect failed.
Validation error: unexpected issuer URI `https://cas.ucdavis.edu/` (expected `https://cas.ucdavis.edu/cas/oidc`) (500)

If I use pretty much anything else I get a HTTP status code 404. Our authentication expert is on vacation for a week, so I thought I would check here first. Does anyone know if this is a mis-configuration on my end, or does Proxmox require the discovery to live at the root of the web server?

Thank you,
Omen

 

[dietmar]

Please can you post the output of:

# grep issuer-url /etc/proxmox-backup/domains.cfg

 

[omen]

Here it is:

root@proxmox2:/usr/share/perl5# grep issuer-url /etc/pve/domains.cfg
    issuer-url https://cas.ucdavis.edu/cas/oidc

 

[dietmar]

Digging into the code, I can see the our OIDC library expect `https://cas.ucdavis.edu/cas/oidc` in the discovery response, but you server returns `https://cas.ucdavis.edu/`. Not sure if CAS allows you to configure that?

 

[dietmar]

I guess you need to change the issuer property in the LL::NG configuration ...

​

 

[omen]

CAS is a centrally run service and I am just one user of hundreds, so I really doubt it. Also, if they changed it, it would likely break other existing users of the service.

Our entire response is actually publicly available (https://cas.ucdavis.edu/cas/oidc/.well-known/openid-configuration) and I see that "issuer":"https://cas.ucdavis.edu" is in there. Is that likely the place that is breaking your code? Is there a reason you require the full URI, not just the domain to match?

 

[dietmar]

The author consider this a security flaw, see

https://github.com/ramosbugs/openidconnect-rs/issues/38

 

[omen]

Thanks for the pointer, and the comment to that bug. I will follow along and see what they say. I will also check with my CAS administrators when they are back from vacation to see what they say.

 

[dietmar]

The OpenID spec states: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

So IMHO your server does not conform to the standard.

 

[omen]

Thank you for the pointer to the spec. That will help in my discussion with the service owners. I am hoping they can just make /.well-known/openid-configuration work, which I think should not break any other users of the service, and should make it work with Proxmox.

 

[dietmar]

Thank you for the pointer to the spec. That will help in my discussion with the service owners. I am hoping they can just make /.well-known/openid-configuration work, which I think should not break any other users of the service, and should make it work with Proxmox.

Yes, that would be a reasonable fix.

 

[omen]

I contacted the service owner, and they are changing the service to meet the spec. I tested on their dev instance and it works great, so problem solved. Thank you for your help.