Microsoft SSO fails with "Sign up is currently closed."

[mittkkoo]

Please verify that this bug has NOT been raised before.

• [X] I checked and didn't find a similar issue

Describe the bug*

I configured SSO with single-tenant Azure AD (Microsoft) as described in the docs

This is in config.yaml:

# Add SSO login-backends (see examples below)
social_backends:
  - 'allauth.socialaccount.providers.microsoft'

social_providers:
  microsoft:
    TENANT: 'copied from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView'

This is the Settings / Login screen:

The Button Microsoft Graph appers on the login screen and the Microsoft process is started, but afterwards inventree reports "Sign up is currently closed."

Steps to Reproduce

1. Setup Microsoft SSO as in the docs
2. Add a social application through the UI
3. Change Settings / Login as in the screenshot

Expected behaviour

Expect SSO to work.

Deployment Method

• [ ] Docker
• [X] Bare metal

Version Information

Version Information:

InvenTree-Version: 0.12.8 Django Version: 3.2.19 Commit Hash: a7487ff8 Commit Date: None Commit Branch: stable Database: postgresql Debug-Mode: False Deployed using Docker: False Platform: Linux-5.4.0-166-generic-x86_64-with-glibc2.31 Installer: PKG Target: ubuntu:20.04 Active plugins: [{'name': 'InvenTreeBarcode', 'slug': 'inventreebarcode', 'version': '2.0.0'}, {'name': 'InvenTreeCoreNotificationsPlugin', 'slug': 'inventreecorenotificationsplugin', 'version': '1.0.0'}]

Please verify if you can reproduce this bug on the demo site.

• [ ] I can reproduce this bug on the demo site.

Relevant log output

No response

[SchrodingersGat]

Can you share a (redacted) screenshot of the SSO application you setup in the admin interface? Ensure that the name of the application is microsoft (case sensitive)

[mittkkoo]

Yes, microsoft Client ID is from https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade -> "Application (client) ID" Secret key from the same place -> Client credentials -> Client secrets -> Value

[SchrodingersGat]

I am assuming that the tenant value in your config file is not actually the literal value that you pasted in your example:

social_providers:
  microsoft:
    TENANT: 'copied from https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView'

[mittkkoo]

No, it is a long code 32 digits and letters with 4 - between and I put it inside ' '. Thought this is the uuid of the tenant...

[mittkkoo]

I discoverd this approach to setup the application, which differs from mine above. The setting is like this:

With this again the authentication process of Microsoft is started and afterwards inventree reports a different error: "Account Login Failure Contact your system administrator for further information."

And this is actually the same screen that I can access at https://inventree.domain.com/accounts/microsoft/login/callback/ and that I entered as Redirect URI in the Application on Microsoft's side. Update: OK, in both cases the error is shown on the callback URL, the errors are just different.

[SchrodingersGat]

Is your InvenTree setup behind a proxy? The headers for the request must be forwarded correctly, so that it is https://inventree.domain.com... and not https://xxx.xxx.xxx.xxx/...

[SchrodingersGat]

Additionally, are there any error logs available in the database after the login attempt? Or any log messages from the InvenTree server instance?

[SchrodingersGat]

You also might want to look into the value you have put into TENANT.

According to the django-allauth docs and our docs it looks like it should be set to organizations (potentially)

[mittkkoo]

The request headers are all with the domain as far as I can see with the browser. In error reports in the UI there is nothing, nginx reports no errors also. As far as I could understand from config.yaml and settings.py I can increase the log level to see more logs, but still didn't try that. In config.yaml I also tried with organizations, but no difference. The docs of allauth are not helping much. Django is 3.2.19 and allauth 0.54. Putting all settings in settings.py seems not to work. I tried, but inventree won't run afterwards.

[matmair]

This could very well be a problem in the OAuth settings on either side - maybe check with a tracer extension if Microsft even returns data and not only an error code. We are just consuming the upstream library so it is a bit difficult to debug without the exact setup in front of us. As a simpler test you can try adding GitHub as a SSO opton - that is a very simple provider and validates that the problem is not your setup per-se.

[belotv]

I think there is a real need to update the django-allauth library to a more recent version. The documentation for version 0.54 is not available anymore which makes SSO configuration a nightmare. I had similar configuration struggle for Keycloak as the openid_connect provider is not available in 0.54.

[diankov]

I believe here are the docs for Microsoft Graph at the time of version 0.54. But no clue there.

[SchrodingersGat]

Moving this to the next minor release - it may well require significant work to get this running smoothly

[SchrodingersGat]

@mittkkoo in https://github.com/inventree/InvenTree/pull/6099 I am adding in error logging so that the error message from microsoft is captured and logged to the database which should help here.

On the microsoft / azure side, have you created a separate client secret? This is different to the application ID and needs to be created separately

[SchrodingersGat]

@mittkkoo please LMK if the new patch fixes issues on your end

[mittkkoo]

@mittkkoo please LMK if the new patch fixes issues on your end

I guess I will wait for 0.13.1 to appear in the master or stable branch on packager.io and the patch will be included. I assumed commits are automatically updated on packager.io at least on the master branch, but I can't find this one there. And I don't want to try to build from source, because I haven't done it before...

[mittkkoo]

@SchrodingersGat OK, I updated to the latest version in the master branch on packager.io. Now the log patch does it job and here is the entry after an unsuccessful login attempt through Microsoft:

Error object (56)
[ИСТОРИЯ](https://lager.ageff.com/admin/error_report/error/56/history/)

Type:
OAuth2Error
Path:
/accounts/microsoft/login/callback/
Info:
Error retrieving access token: b'{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app \'1a331cbd-1d46-433xxxxx\'. Trace ID: f87402b2-c98d-40caxxxx Correlation ID: 4711a888-6175-4xxxxx Timestamp: 2024-01-12 19:11:47Z","error_codes":[7000215],"timestamp":"2024-01-12 19:11:47Z","trace_id":"f87402b2-cxxxxx","correlation_id":"4711a888-6175-xxxxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"}'
When:
12 января 2024 г. 19:11
Data:
Traceback (most recent call last):

File "/opt/inventree/env/lib/python3.9/site-packages/allauth/socialaccount/providers/oauth2/views.py", line 147, in dispatch
access_token = self.adapter.get_access_token_data(request, app, client)

File "/opt/inventree/env/lib/python3.9/site-packages/allauth/socialaccount/providers/oauth2/views.py", line 70, in get_access_token_data
return client.get_access_token(code, pkce_code_verifier=pkce_code_verifier)

File "/opt/inventree/env/lib/python3.9/site-packages/allauth/socialaccount/providers/oauth2/client.py", line 99, in get_access_token
raise OAuth2Error("Error retrieving access token: %s" % resp.content)

allauth.socialaccount.providers.oauth2.client.OAuth2Error: Error retrieving access token: b'{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app \'1a331cbd-1d46-43xxxx\'. Trace ID: f87402b2-c9xxxxx Correlation ID: 4711a888-6175-4xxxxx Timestamp: 2024-01-12 19:11:47Z","error_codes":[7000215],"timestamp":"2024-01-12 19:11:47Z","trace_id":"f87402b2-cxxxxx","correlation_id":"4711a888-617xxxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"}'

I tried different combination on where to put the secret value and secret ID. Sometimes it gives the error above. Other times no error is logged and invetree says "Sign up is currently closed."

[SchrodingersGat]

Sounds like you have the wrong values in the SSO configuration:

• https://learn.microsoft.com/en-us/answers/questions/1275176/invalid-client-secret-provided
• https://learn.microsoft.com/en-us/answers/questions/1000888/how-do-i-mitigate-aadsts7000215-invalid-client-sec

[mittkkoo]

It comes down to guess the corresponding entries. Here are the fields for allauth and what Microsoft offers

Microsoft also needs a Redirect URI:

In addition there is the config.yaml in /opt/inventree/InvenTree/config.yaml

# Permit custom authentication backends
authentication_backends:
  - 'django.contrib.auth.backends.ModelBackend'
  - 'allauth.account.auth_backends.AuthenticationBackend'
#  Custom middleware, sometimes needed alongside an authentication backend change.
middleware:
  - 'django.middleware.security.SecurityMiddleware'
  - 'django.contrib.sessions.middleware.SessionMiddleware'
  - 'django.middleware.locale.LocaleMiddleware'
  - 'django.middleware.common.CommonMiddleware'
  - 'django.middleware.csrf.CsrfViewMiddleware'
  - 'corsheaders.middleware.CorsMiddleware'
  - 'django.contrib.auth.middleware.AuthenticationMiddleware'
  - 'django.contrib.messages.middleware.MessageMiddleware'
  - 'django.middleware.clickjacking.XFrameOptionsMiddleware'
  - 'InvenTree.middleware.AuthRequiredMiddleware'
  - 'allauth.account.middleware.AccountMiddleware'

# Add SSO login-backends (see examples below)
social_backends:
  - 'allauth.socialaccount.providers.microsoft'
#  - 'allauth.socialaccount.providers.github'
#  - 'allauth.socialaccount.providers.keycloak'

# Add specific settings for social account providers (if required)
# social_providers:
#   keycloak:
#     KEYCLOAK_URL: 'https://keycloak.custom/auth'
#     KEYCLOAK_REALM: 'master'
social_providers:
  microsoft:
    TENANT: organizations

My best guess, based on some posts on stackoverflow is:

• 1C, 2A, 3B: With this nothing is written in the error log. The Microsoft process is started but at the end Inventree reports Sign up is currently closed.
• 1C, 2B, 3A: AADSTS7000215 is written in the error log. The Microsoft process is started but at the end Inventree reports Account Login Failure Contact your system administrator for further information.

Also I wonder if TENANT: organizations is really correct.

A strange thing I discovered is that, if I go to /settings/ -> Account -> Add SSO Account and connect a Microsoft account to the current user, afterwards I will be able to log in with Microsoft in this user! This makes e to assume, that SSO is working, but the registration of new users through SSO is not working.

[SchrodingersGat]

@mittkkoo I have discovered that some SSO errors (Microsoft in particular) are not properly logged and thus do not appear in the system.

Once https://github.com/inventree/InvenTree/pull/6246 has merged, please see if the changes allow you to either:

a) Login b) Inspect error logs and determine what the issue is

[mittkkoo]

I had to setup a host email (#6259 ) and now SSO registration of new users work! A small problem is that no email is sent to the new user although a pop up said, an email is sent.

[SchrodingersGat]

@mittkkoo ok, glad that it works but you might want to raise a new issue regarding the email not sending. Please see if there is anything you can tweak on your end to get it to work.