OIDC Azure AD - 401 Not Authorized

[MrTinnysis]

Thanks for your aproach on a ui for headscale.

I tried to setup oidc with azure ad (like in the headscale oidc example). after the login callback i get "401 Not Authorized" and in the log is only "Token issued in the past". Do i need to whitelist the users somewhere?

[iFargle]

Sadly I have no experience with Azure AD. Are you getting the error in headscale-webui or in Azure? Can you post some logs from headscale-webui?(in DEBUG mode it dumps secrets so be sure to either wipe those or use new ones after)

[iFargle]

Also post your docker-compose.yml

[MrTinnysis]

I get the error from the /oidc_callback in headscale-webui - after the redirect from azure ad. docker-compose.yaml:

version: '3'

services:
  headscale:
    container_name: headscale
    image: headscale/headscale
    restart: always
    environment:
      - LETSENCRYPT_HOST=<wiped host.domain.tdl>
      - VIRTUAL_HOST=<wiped host.domain.tdl>
      - VIRTUAL_PORT=8080
      - VIRTUAL_PATH=/
    volumes:
      - ./config:/etc/headscale
      - ./data:/var/lib/headscale
    entrypoint: headscale serve

  headscale-webui:
    container_name: headscale-webui
    image: ghcr.io/ifargle/headscale-webui
    environment:
      - LETSENCRYPT_HOST=<wiped host.domain.tdl>
      - VIRTUAL_HOST=<wiped host.domain.tdl>
      - VIRTUAL_PATH=/admin
      - VIRTUAL_PORT=5000
      - TZ=Europe/Zurich
      - HS_SERVER=https://<wiped host.domain.tdl>
      - DOMAIN_NAME=https://<wiped host.domain.tdl>
      - SCRIPT_NAME=/admin
      - KEY=<wiped key>
      - AUTH_TYPE=oidc
      - OIDC_AUTH_URL=https://login.microsoftonline.com/<wiped azure tenant id>/v2.0/.well-known/openid-configuration
      - OIDC_CLIENT_ID=<wiped client id>
      - OIDC_CLIENT_SECRET=<wiped secret>
      - LOG_LEVEL=Debug
    volumes:
      - ./webui:/data
      - ./config:/etc/headscale:ro

logs:

[2023-04-05 10:11:35 +0200] [1] [INFO] Starting gunicorn 20.1.0
[2023-04-05 10:11:35 +0200] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
[2023-04-05 10:11:35 +0200] [1] [INFO] Using worker: sync
[2023-04-05 10:11:35 +0200] [7] [INFO] Booting worker with pid: 7
[2023-04-05 10:11:36,131] INFO in server: Headscale-WebUI Version:  v0.6.1 / main
[2023-04-05 10:11:36,132] INFO in server: LOG LEVEL SET TO DEBUG
[2023-04-05 10:11:36,132] INFO in server: DEBUG STATE:  True
[2023-04-05 10:11:36,132] INFO in server: Loading OIDC libraries and configuring app...
[2023-04-05 10:11:36,304] DEBUG in server: JSON Dumps for OIDC_INFO:  {"token_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/token", "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt", "client_secret_basic"], "jwks_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/discovery/v2.0/keys", "response_modes_supported": ["query", "fragment", "form_post"], "subject_types_supported": ["pairwise"], "id_token_signing_alg_values_supported": ["RS256"], "response_types_supported": ["code", "id_token", "code id_token", "id_token token"], "scopes_supported": ["openid", "profile", "email", "offline_access"], "issuer": "https://login.microsoftonline.com/<wiped azure tenant id>/v2.0", "request_uri_parameter_supported": false, "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo", "authorization_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/authorize", "device_authorization_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/devicecode", "http_logout_supported": true, "frontchannel_logout_supported": true, "end_session_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/logout", "claims_supported": ["sub", "iss", "cloud_instance_name", "cloud_instance_host_name", "cloud_graph_host_name", "msgraph_host", "aud", "exp", "iat", "auth_time", "acr", "nonce", "preferred_username", "name", "tid", "ver", "at_hash", "c_hash", "email"], "kerberos_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/kerberos", "tenant_region_scope": "EU", "cloud_instance_name": "microsoftonline.com", "cloud_graph_host_name": "graph.windows.net", "msgraph_host": "graph.microsoft.com", "rbac_url": "https://pas.windows.net"}
[2023-04-05 10:11:36,305] DEBUG in server: Client Secrets:
[2023-04-05 10:11:36,306] DEBUG in server: /app/instances/secrets.json:
[2023-04-05 10:11:36,306] DEBUG in server: {"web": {"issuer": "https://login.microsoftonline.com/<wiped azure tenant id>/v2.0", "auth_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/authorize", "client_id": "<wiped client id>", "client_secret": "<wiped secret>", "redirect_uris": ["https://<wiped host.domain.tdl>/admin/oidc_callback"], "userinfo_uri": "https://graph.microsoft.com/oidc/userinfo", "token_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/token"}}
Token issued in the past

[iFargle]

https://github.com/puiterwijk/flask-oidc/blob/7f16e27b926fc12953d6b2ae78a9b9cc9b8d1769/flask_oidc/__init__.py#L646

Seems like it's caused by your time being out of sync. Is your server time in sync "enough" with Microsoft's?

[MrTinnysis]

I guess so, the docker container runs on an azure vm and its time seams in sync. how ever the container time is timezoned... the time of the oidc endpoint can't be verified by me.

[iFargle]

There is a clock-skew config we can pass to the oidc library. I'll try that once the changes being worked on are settled.

[MrTinnysis]

There is a clock-skew config we can pass to the oidc library. I'll try that once the changes being worked on are settled.

I did this and made you #112