search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.06k stars 868 forks source link

AzureAD OAuth Source - Profile URL Reset #10020

Open ghost opened 3 months ago

ghost commented 3 months ago

Describe the bug The profile URL on the AzureAD OAuth Source on Federation and Social login keeps resetting.

Manually set this to https://graph.microsoft.com/v1.0/me and a few hours later it will set itself to the value of https://graph.microsoft.com/oidc/userinfo

This then gives my users the error

Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.

Setting the profile URL back to https://graph.microsoft.com/v1.0/me allows for authentication to continue

To Reproduce Steps to reproduce the behavior:

  1. Go to Federation and Social Login, create an AzureAD OAuth Source with a profile URL of https://graph.microsoft.com/v1.0/me (the default). Set user matching to mode to "Link to a user with an identical email address. Can have security implications when a source doesn't have a valid email address
  2. Wait a couple of hours (less than 12 hours)
  3. Try to log in to Authentik using AzureAD as a connected source and receive Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.
  4. Set profile URL in OAuth source back to https://graph.microsoft.com/v1.0/me and sucessfully complete login flow.

Expected behavior Profile URL to stay as inputted value.

Screenshots AzureAD0 AzureAD1

Version and Deployment (please complete the following information):

ghost commented 3 months ago

After some debugging, it looks like it's the well-known URL that's resetting this back to https://graph.microsoft.com/oidc/userinfo as this is what's in the OIDC response on Microsoft's end.

When using https://graph.microsoft.com/oidc/userinfo and trying to match on email, I will get the use the login method you previously used to signup message (or something to that effect).

I guess I'm hoping authentik can fully support the information given in the https://graph.microsoft.com/oidc/userinfo url - but for now I'm going to leave the well-known URL blank and hope my Profile URL stays https://graph.microsoft.com/v1.0/me

bsirayne commented 3 months ago

+1 on this issue. I'm also going to remove the well-known URL as a temp workaround while I do some more research.

mauznk commented 3 months ago

+1 for the issue. My collegue had the same issue on 2024.4.2. My instance is running on 2024.2.2 and dont have the issue. We upgraded now to 2024.6.0 to test is the issue perists

ghost commented 3 months ago

I upgraded to 2024.6.0 earlier and created a new AzureAD Profile - whilst it didn't reset the profile URL (I deleted it not long after, I assume it would though) I wasn't able to successfully log in.

ghost commented 3 months ago

FWIW, if it makes any difference, in my URLs on my AzureAD social profiles have \common\ replaced with \<my tenant ID>\

authentik-automation[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

ghost commented 1 month ago

Bump