hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.85k stars 289 forks source link

OIDC Auth Method with Azure AD not working after upgrading to newest Boundary #5034

Closed michaeljluo closed 2 months ago

michaeljluo commented 2 months ago

Describe the bug

Hello, I am trying to upgrade my boundary version from 0.16.0 to 0.17.0. I merged updated code from the boundary repo, and ran commands to migrate boundary postgres database to new version. So far everything is functional except for logging in with OIDC auth method. I'm using an auth method with Azure Active Directory as my IDP and it produces this error whenever I try to login:

Error

Could not authenticate

Something went wrong while authenticating. Please close this window and try again. If the problem persists, notify your administrator.

link:

...authentication-error?error=%7B%22kind%22%3A%22Internal%22%2C%22message%22%3A%22authmethod_service.%28Service%29.authenticateOidcCallback%3A+Callback+validation+failed.%3A+parameter+violation%3A+error+%23100%3A+oidc.Callback%3A+unable+to+get+user+info+from+provider%3A+unknown%3A+error+%230%3A+Provider.UserInfo%3A+provider+UserInfo+request+failed%3A+Get+%5C%22https%3A%2F%2Fgraph.microsoft.com%2Foidc%2Fuserinfo%5C%22%3A+EOF%22%7D

To Reproduce

Steps to reproduce the behavior:

  1. Current Boundary Version: 0.16.0 running in K8s
  2. Ran database migrate from hashicorp/boundary:0.17 - DB Migration completed successfully
  3. Started the controller pods w/ boundary:0.17 – Running
  4. For existing (and new) OIDC Auth setup Set up OIDC for Azure IdP, login fails with this error

Expected behavior

The login should pull identity information from Azure AD and authenticate me correctly.

Additional context

The Azure AD application registration we used is working fine with 0.16.0 version of boundary.

michaeljluo commented 2 months ago

Also I am trying to revert the postgres database schema to version 0.16.0. Can I use the repair flag detailed here to do this (link)? What parameter value do I pass in with this flag to downgrade the schema to 0.16.0 release?

moduli commented 2 months ago

Hi! We're trying to reproduce this error, but we haven't been successful so far.

Is there anything special set up in your app registration? We're trying to understand what the difference is with our setups. We're largely following the steps outlined here: https://developer.hashicorp.com/boundary/tutorials/identity-management/oidc-azure

moduli commented 2 months ago

Also I am trying to revert the postgres database schema to version 0.16.0. Can I use the repair flag detailed here to do this (link)? What parameter value do I pass in with this flag to downgrade the schema to 0.16.0 release?

I don't believe there's a way to downgrade a database. It is recommended to do a backup of the database prior to the upgrade so that you're able to restore it later, if needed.

michaeljluo commented 2 months ago

Realized this was a local issue on my end. Resolved now. Appreciate the help though.