[SOLVED] Permissions/auth: OpenID, Azure AD, "OpenID redirect failed. Request failed (500)"

[jco]

Hello,

(Beginner here)

I'm trying to add a new "realm" of authentification in Proxmox using Azure Active Directory (the "free" AD function that is provided by Microsoft when you have an account, in this case through an Office 365 Business licence).

I mostly followed this tutorial : https://www.reddit.com/r/Proxmox/comments/pqxu2o/proxmox_oidc_authentication_azure_ad/

For reference, the steps of the tutorial are :
Step 1 - Sign into Azure AD and click App Registrations.
Step 2 – Click New Registration add a name and one of your Proxmox Servers
Step 3 – Add all of your URL for your Proxmox Servers by clicking Add URI then Save.
Step 4 – Click Certificates & Secrets then New Client Secret you can specify when you want the secret to expire. Make sure you save the Secret under Value, we will need this later.
Step 5 – Click Overview Copy the Client ID then click EndpointsCopy the OpenID Connect metadata document link and remove /.well-known/openid-configuration this part from the link, so you end up with something like this https://login.microsoftonline.com/{Your Tenant ID}/v2.0
Step 6 – Go to Proxmox and Authentication – Add – OpenID Connect then add the values for Azure AD

Now sign out and sign in with your new Realm and you should be good to go. This should be pretty much the same if you’re using Okta, ADFS, or something else. I think the main thing you need to know is that Issuer URL is really looking for your OpenID Connect Metadata, and it’s auto appending /.well-known/openid-configuration to the URL so you don’t need to add it again.


Step 1 - Sign into Azure AD and click App Registrations

OK

Step 2 – Click New Registration add a name and one of your Proxmox Servers

In "authentication" tab in AAD, I added a "redirection URI" with the private address of the server: https://192.168.1.10:8006
Note : My pve node is not exposed to internet, I access it through a VPN

Step 3 – Add all of your URL for your Proxmox Servers by clicking Add URI then Save

There is only one pve node

Step 4 – Click Certificates & Secrets then New Client Secret you can specify when you want the secret to expire. Make sure you save the Secret under Value, we will need this later

I created a new "client secret", which comes with the following information:

• Description
• Expiration date
• Value (actual secret) Secr******************
• Secret ID ghghghgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Step 5 – Click Overview, Copy the Client ID

Here I have

• Display name: Proxmox
• application (client) ID: abababab-xxxx-xxxx-xxxx-xxxxxxxxxxxx
• object ID: cdcdcdcd-xxxx-xxxx-xxxx-xxxxxxxxxxxx
• directory (tenant) ID: efefefef-xxxx-xxxx-xxxx-xxxxxxxxxxxx

then click Endpoints, and Copy the OpenID Connect metadata document link and remove /.well-known/openid-configuration this part from the link, so you end up with something like this https://login.microsoftonline.com/{Your Tenant ID}/v2.0

Here I have: https://login.microsoftonline.com/e...xxxxxxx/v2.0/.well-known/openid-configuration

Step 6 – Go to Proxmox and Authentication – Add – OpenID Connect then add the values for Azure AD

In proxmox, I input the following parameters :

• Issuer URL : https://login.microsoftonline.com/e...xxxxxxx/v2.0/.well-known/openid-configuration
• Realm : mydomain.com
• Client ID : abababab-xxxx-xxxx-xxxx-xxxxxxxxxxxx (aka "application (client) ID")
• Client Key : Secr******************

(I also tried to input the OpenID link without the end "/.well-know..." but with no differences)

Now sign out and sign in with your new Realm and you should be good to go. This should be pretty much the same if you’re using Okta, ADFS, or something else. I think the main thing you need to know is that Issuer URL is really looking for your OpenID Connect Metadata, and it’s auto appending /.well-known/openid-configuration to the URL so you don’t need to add it again.

When trying to connect, I get the following error:
OpenID redirect failed. Request failed (500)

Questions :

• Is my configuration correct ? If no, does it come from the app registration in AAD or my inputs in Proxmox ?
• My server has a private address and is not reachable from internet, is this an issue ?
• Any pointers ?

Best regards,

 

[mira]

Make sure you don't have `/.well-known/openid-configuration` at the end. It won't work if you append this.

Can you access the configuration via the issue url + /.well-known/openid-configuration? This should show lots of data in json format.

 

[jco]

Hello,
Thank you for your reply.

Indeed, it was an issue with the "issuer URL".

It worked with https://login.microsoftonline.com/efefefef-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0

Note : there should be no "trailing slash". If you keep a trailing slash, you will get the following (rather confusing IMO) error:

OpenID redirect failed.
Validation error: unexpected issuer URI `https://login.microsoftonline.com/efefefef-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0` (expected `https://login.microsoftonline.com/efefefef-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/`) (500)

Last question:
If the "autocreate user" option is checked, is there a way to automatically assign users to a specific group / role ?

 

[mira]

No, it will only create the users. You have to set the groups/roles yourself.

Autocreate Users (autocreate): Automatically create users if they do not
exist. While authentication is done at the OpenID server, all users still need
an entry in the Proxmox VE user configuration. You can either add them manually, or
use the autocreate option to automatically add new users.

 

[jco]

Mira, thank you for your support.

 

[PthompsonZ5]

I used this guide to get Azure up and running on one instance. I need to apply it to a second instance. I added the second instance redirect URI to the app config in Azure AD and added the same known good realm data from the working instance to the new instance. The second instance is returning OpenID redirect failed. Request failed (500).