OpenID redirect failed with Ipsilon idp

D

darknao

New Member
Mar 19, 2022
3
1
3
40
Hello,

I'm trying to set up OpenID Connect authentication with Ipsilon idp, but no luck so far...

When trying to login, I get the following error:
Code: 
OpenID redirect failed.
Failed to parse server response (500)

I found nothing in proxmox logs, and on the ipsilon logs, the only request i got from proxmox is:
"GET /idp/openidc/.well-known/openid-configuration HTTP/1.1"

So I'm assuming something in this response is making proxmox unhappy.

Do you have any idea on what's missing/incorrect in my configuration?

my domains.cfg:
Code: 
openid: ipsilon
        client-id redacted
        issuer-url https://id.int.drkn.ninja/idp/openidc
        client-key redacted
        autocreate 1
        default 0
        username-claim username

And the json returned by https://id.int.drkn.ninja/idp/openidc/.well-known/openid-configuration (this is an internal domain)
JSON: 
{
  "issuer": "https://id.int.drkn.ninja/idp/openidc/",
  "authorization_endpoint": "https://id.int.drkn.ninja/idp/openidc/Authorization",
  "token_endpoint": "https://id.int.drkn.ninja/idp/openidc/Token",
  "userinfo_endpoint": "https://id.int.drkn.ninja/idp/openidc/UserInfo",
  "jwks_uri": "https://id.int.drkn.ninja/idp/openidc/Jwks",
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "address",
    "phone"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "token",
    "token id_token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "none"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token"
  ],
  "acr_values_supported": [
    "0"
  ],
  "subject_types_supported": [
    "pairwise",
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "id_token_encryption_alg_values_supported": [],
  "id_token_encryption_enc_values_supported": [],
  "userinfo_signing_alg_values_supported": [
    "RS256"
  ],
  "userinfo_encryption_alg_values_supported": [],
  "userinfo_encryption_enc_values_supported": [],
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512",
    "EdDSA",
    "ES256K",
    "none"
  ],
  "request_object_encryption_alg_values_supported": [],
  "request_object_encryption_enc_values_supported": [],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256"
  ],
  "display_values_supported": [
    "page",
    "popup"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_supported": [
    "sub",
    "name",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "email",
    "email_verified",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "phone_number_verified",
    "address",
    "updated_at"
  ],
  "service_documentation": "https://ipsilonproject.org/doc/openidc/",
  "ui_locales_supported": [
    "en"
  ],
  "claims_parameter_supported": true,
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": false,
  "op_policy_uri": "http://www.example.com/",
  "op_tos_uri": "http://www.example.com/",
  "registration_endpoint": "https://id.int.drkn.ninja/idp/openidc/Registration"
}
 
It seems some option is either missing or contains something that leads to the parse error by openidconnect-rs, which is used by proxmox-openid-rs.
I'm currently comparing your config to one of my test-instance configs (lemonldap-ng).

It looks like this:
Code: 
{
  "acr_values_supported": [
    "loa-4",
    "loa-2",
    "loa-3",
    "loa-1",
    "loa-5"
  ],
  "authorization_endpoint": "http://auth.example.com/oauth2/authorize",
  "backchannel_logout_session_supported": false,
  "backchannel_logout_supported": false,
  "claims_supported": [
    "sub",
    "iss",
    "auth_time",
    "acr"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "end_session_endpoint": "http://auth.example.com/oauth2/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "grant_types_supported": [
    "authorization_code"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "introspection_endpoint": "http://auth.example.com/oauth2/introspect",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "issuer": "http://auth.example.com",
  "jwks_uri": "http://auth.example.com/oauth2/jwks",
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": false,
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "address",
    "phone"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "http://auth.example.com/oauth2/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "userinfo_endpoint": "http://auth.example.com/oauth2/userinfo",
  "userinfo_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ]
}
 
I've done some digging, and it seems to be related to these specific algorithms in request_object_signing_alg_values_supported
JSON: 
"EdDSA",
"ES256K",
 
  • Like
Reactions: mira
In fedora 37 that list is populated by jwcrypto which uses other names, I'm trying to disable these two with trial and error.

That said shouldn't an unsupported algo just be ignored and not cause the whole thing to not work?
 
My solution was probably the ugliest possible :/
I added some list filtering logic in auth.py but really the OpenIDC client should not choke on being offered an algorithm it does not know it should just ignore that.

Also note that you need to restart httpd for changes to source to take effect (I assume some memcache, didn't have time to look at that seriously).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back