Najdorf.1-3 - OIDC with ADFS - oidc_retrieve_claims_from_userinfo_endpoint fails

[marcel-kondermann]

Hi all,

I'm running the ManageIQ Operator (Najdorf-1.3) on a Ubuntu Microk8s Kubernetes 1.20 environment.

I configured Authentication with openid-connect, where an ADFS Instance serves as the Authentication Provider. See the below (anonymized) specification of the ManageIQ:

apiVersion: manageiq.org/v1alpha1
kind: ManageIQ
metadata:
  name: myName
  namespace: manageiq
spec:
  applicationDomain: myapplicationDomain
  httpdAuthenticationType: openid-connect
  oidcProviderURL: https://myURL/adfs/.well-known/openid-configuration
  oidcAuthIntrospectionURL: https://myURL/adfs/oauth2/token
  oidcClientSecret: miq-adfs-secret
  oidcCaCertSecret: oidc-cacert-secret
  #enableSSO: true
  enableApplicationLocalLogin: true
  httpdAuthenticationType: openid-connect
  imagePullSecret: myimagePullSecret
  memcachedImage: myImageReg/manageiq-memcached:1.5
  orchestratorImage: myImageReg/manageiq-orchestrator:najdorf-1.3
  httpdImage: myImageReg/manageiq/httpd:2
  postgresqlImage: myImageReg/manageiq-postgresql:10.19
  uiWorkerImage: myImageReg/manageiq-ui-worker:najdorf-1.3
  webserverWorkerImage:  myImageReg/manageiq-webserver-worker:najdorf-1.3
  baseWorkerImage: myImageReg/manageiq-base-worker:najdorf-1.3
  databaseVolumeCapacity: 10Gi
  storageClassName: microk8s-hostpath
  tlsSecret: mytlsSecret

In ManageIQ the according group has been created and given a role. The group-name is exactly the same as in ADFS/AD.

When I try to login via the blue 'Login to corporate System' Button in the ManageIQ UI, the User (member of the MIQ- as well as the AD-Group) is getting signed in successfully but automatically getting logged out as well (Immediately).

The according Error Message in the STDOUT of the httpd-Pod of ManageIQ is like this:

_[Tue Mar 14 10:17:16.751279 2023] [auth_openidc:error] [pid 14:tid 140137014990592] [client ipaddress:port] oidc_retrieve_claims_from_userinfoendpoint: resolving user info claims with the existing/provided access token failed, nothing will be stored in the session, referer: https://url/

In ADFS we are getting the below logs.

The session cookies were successfully deleted using the OAuth logout path : Event ID 552 The specified redirect URL was validated successfully. URL: https://myURL : Event: 553

We cross-checked the whole authentication-part of the configuration and we are quite sure that everything is ok there (secrets, certifications etc.) So we assume that the OIDC-Claim/-Assertion is blocking us.

We specified the Claim on ADFS side according this documentation https://www.manageiq.org/docs/reference/latest/auth/openid_connect.html - where we tried to map the Keycloak Specifications to ADFS. So the claim at ADFS side is looking like this:

 username
 email
 firstname
 lastname
 fullname
 groups

Do you have an idea why we still fail?

Thanks for your input and support!

Best regards, Marcel.

[kbrock]

Hello Marcel,

The documentation that you linked is for the Appliance (useful in a vm environment). This should be generally useful for both appliances and pods.

Since you are using kubernetes, I would guess that you are running a container/pod environment. Have you gotten the chance to look at the documentation specific to containers?

There are just so many configuration combinations that I'm not sure how well tested the ActiveDirectory configuration is with pods.

There are a lot of moving parts, and the apache oidc connector requires special privileges to connect to sssd over DBUS. This is normal when you are setting up apache on a linux box, but a little strange in the podified world as the goal is to not grant any special privileges.

[Fryguy]

Please also take a look at https://www.manageiq.org/blog/2020/09/troubleshooting-containerized-oidc/ and https://www.manageiq.org/blog/tags/tutorials/ for more troubleshooting tips.

[marcel-kondermann]

Hello Keenan,

Thanks a lot for your input!

Regarding our testing with OIDC and ADFS (in fact it's not Active Directory but ADFS, which sits between ManageIQ and Active Directory) we are one step further in the meantime.

We now can say that the specific ADFS-Instance doesn't provide an Introspection-URL at all. This leads us to the question if MangeIQ supports a setup where the OIDC-Authentication Provider (ADFS in this case) doesn't provide such a Introspection-URL? Or if ManageIQ is only able to work with an existing one? See according error in the operator-log when no Introspection-URL is found:

_{"level":"info","ts":1679930050.170085,"logger":"controller_manageiq","msg":"Reconciling the HTTPD resources..."} {"level":"error","ts":1679930050.304293,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"manageiq-controller","request":"manageiq/miq","error":"failed to get the OIDCOAuthIntrospectionURL from https://url/adfs/.well-known/openid-configuration - introspectionendpoint is missing from the Provider metadata","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.0/pkg/internal/controller/controller.go:258\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.0/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.0/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/root/go/pkg/mod/k8s.io/apimachinery@v0.18.3/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/root/go/pkg/mod/k8s.io/apimachinery@v0.18.3/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/root/go/pkg/mod/k8s.io/apimachinery@v0.18.3/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/root/go/pkg/mod/k8s.io/apimachinery@v0.18.3/pkg/util/wait/wait.go:90"}

We also checked the documentation that you provided to configure alternate authentication types. Is that maybe a misunderstanding? Because we do not intend to configure the apache oidc connector to go over sssd - Since that would lead to LDAP as the user account database - wheragainst we intend to use ADFS.

Thanks and best regards, Marcel.

[marcel-kondermann]

Hello Jason,

Also, Thanks a lot for your input!

In addition to what we tried based on Keenans input, we also set up a second scenario:

• Configure MIQ to use "oidcAuthIntrospectionURL: https://myURL/adfs/oauth2/token" .... which makes no sense as our ADFS experts say because there is no such URL, but at least MIQ comes up
• executed the 'OpenID-Connect Provider Accessible'-Check from your troubleshooting guide .. result is:

Steps 1 and 2 provide us a access-token. But Step 4 gives us this output:

_> { [5 bytes data]

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [57 bytes data]
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [57 bytes data]
• old SSL session ID is stale, removing { [5 bytes data]
• Connection state changed (MAX_CONCURRENT_STREAMS == 128)! } [5 bytes data] < HTTP/2 401 < date: Mon, 27 Mar 2023 10:03:37 GMT < content-type: text/html; charset=iso-8859-1 < content-length: 381 < www-authenticate: Bearer realm="External Authentication (oauth20) for API", error="invalid_token", error_description="Reference token could not be introspected" < strict-transport-security: max-age=15724800; includeSubDomains < { [381 bytes data] 100 381 100 381 0 0 904 0 --:--:-- --:--:-- --:--:-- 904
• Connection #0 to host myurl left intact parse error: Invalid numeric literal at line 1, column 10_

So conclusion would be:

• we get back a valid JWT-Token from the ADFS (if we decode it, the content makes pretty much sense).
• so first we thought, that the claim might be wrong. but we checked that and it doesn't seem to be the case

Does that lead us any further?

Thanks and best regards, Marcel.

[marcel-kondermann]

Hello again everyone,

may I emphasize this question again (see above):

" ... We now can say that the specific ADFS-Instance doesn't provide an Introspection-URL at all. This leads us to the question if MangeIQ supports a setup where the OIDC-Authentication Provider (ADFS in this case) doesn't provide such a Introspection-URL? ... "

For us it's currently the main qeustion. Can it be answered from a MIQ design perspective?

Thanks a lot and best regards, Marcel.