jimdigriz / freeradius-oauth2-perl

FreeRADIUS OAuth2 (OpenID Connect) using rlm_perl
GNU Affero General Public License v3.0
127 stars 35 forks source link

FreeRADIUS and Azure Integration #46

Open jeremytampon opened 2 days ago

jeremytampon commented 2 days ago

We are trying to setup and integrate the "Cloud RADIUS Server using FreeRADIUS + daloRADIUS on Ubuntu 20.04" to Microsoft Azure AD. Upon integration we encountered the below error saying "token failed: 400 Bad Request". We would like to ask for your assistance. Thank you.


(0) policy oauth2.authorize { (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) EXPAND realm[**.com].oauth2.discovery (0) --> realm[**.com].oauth2.discovery (0) EXPAND %{config:realm[%{Realm}].oauth2.discovery} (0) --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> '[**@**.com] (mailto:**@**.com)' (0) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> '**' (0) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.2.55' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '8443' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 28 2024 07:13:21 PST' (0) oauth2_perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x1fc4c5530d1a6afebfde3dac7dde846b' (0) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> '****' (0) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> '**.com' (0) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' (0) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' rlm_perl: oauth2 authorize (0) oauth2_perl: EXPAND realm[**.com].oauth2.discovery (0) oauth2_perl: --> realm[**.com].oauth2.discovery (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.discovery} (0) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: --> https://login.microsoftonline.com/******.com/v2.0 (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_id (0) oauth2_perl: --> realm[**.com].oauth2.client_id (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_id} (0) oauth2_perl: --> * (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_secret (0) oauth2_perl: --> realm[**.com].oauth2.client_secret (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_secret} (0) oauth2_perl: --> * rlm_perl: oauth2 worker (**.com): supervisor started (tid=1) rlm_perl: oauth2 worker (**.com): fetching discovery document rlm_perl: oauth2 worker (**.com): started (tid=2) rlm_perl: oauth2 worker (**.com): sync rlm_perl: oauth2 worker (**.com): sync users rlm_perl: oauth2 worker (**.com): users page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: oauth2 worker (**.com): token failed: 400 Bad Request Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/Net/HTTP/Methods.pm line 161. rlm_perl: oauth2 worker (**.com): users failed: 400 Bad Request rlm_perl: oauth2 worker (**.com): sync groups rlm_perl: oauth2 worker (**.com): groups page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: oauth2 worker (**.com): token failed: 400 Bad Request Use of uninitialized value $v in concatenation (.) or string at /usr/share/perl5/Net/HTTP/Methods.pm line 161. rlm_perl: oauth2 worker (**.com): groups failed: 400 Bad Request rlm_perl: oauth2 worker (**.com): apply rlm_perl: oauth2 worker (**.com): syncing in 37 seconds (0) oauth2_perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '8443' (0) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '**' (0) oauth2_perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.2.55' (0) oauth2_perl: &request:Realm = $RAD_REQUEST{'Realm'} -> '**.com' (0) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> '**@**.com' (0) oauth2_perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Oct 28 2024 07:13:21 PST' (0) oauth2_perl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x1fc4c5530d1a6afebfde3dac7dde846b' (0) oauth2_perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Virtual' (0) oauth2_perl: &request:Stripped-User-Name = $RAD_REQUEST{'Stripped-User-Name'} -> '**' (0) oauth2_perl: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> '**.com' (0) [oauth2_perl] = notfound (0) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) { (0) if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) -> FALSE (0) } # if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") = notfound (0) ... skipping else: Preceding "if" was taken (0) } # policy oauth2.authorize = notfound


jimdigriz commented 2 days ago

I would recheck your values for client_id and that aboitiz.com is a registered domain for you in Azure Entra ID; bad request means something about the parameters you have provided are incorrect.

jeremytampon commented 10 hours ago

[EDIT TO SANITISE OUT CREDENTIALS]

Hi Jimdgriz,

I have managed to fix the error in client_id. But now it keeps looping at the " Authorization: Bearer". Please see the attached log file.

Thank you,

On Tue, Oct 29, 2024 at 8:03 PM Alexander Clouter @.***> wrote:

I would recheck your values for client_id and that **.com is a registered domain for you in Azure Entra ID.

— Reply to this email directly, view it on GitHub https://github.com/jimdigriz/freeradius-oauth2-perl/issues/46#issuecomment-2444019699, or unsubscribe https://github.com/notifications/unsubscribe-auth/BKIRXZVQD4RLZVGI4XT5YX3Z552PDAVCNFSM6AAAAABQY76JQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGAYTSNRZHE . You are receiving this because you authored the thread.Message ID: @.***>

(0) policy oauth2.authorize { (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) EXPAND realm[**.com].oauth2.discovery (0) --> realm[**.com].oauth2.discovery (0) EXPAND %{config:realm[%{Realm}].oauth2.discovery} (0) --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE (0) if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") { (0) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> @.*' (0) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> '****' (0) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192...*' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '8443' (0) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Virtual' (0) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 31 2024 11:48:32 PST' (0) oauth2_perl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0xca9f6f995a80fd2ba03954b48ee0b938' (0) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} = &request:Stripped-User-Name -> '****' (0) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> '**.com' (0) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' (0) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> '**.com' rlm_perl: oauth2 authorize (0) oauth2_perl: EXPAND realm[**.com].oauth2.discovery (0) oauth2_perl: --> realm[**.com].oauth2.discovery (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.discovery} (0) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0 (0) oauth2_perl: --> https://login.microsoftonline.com/******.com/v2.0 (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_id (0) oauth2_perl: --> realm[**.com].oauth2.client_id (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_id} (0) oauth2_perl: --> * (0) oauth2_perl: EXPAND realm[**.com].oauth2.client_secret (0) oauth2_perl: --> realm[**.com].oauth2.client_secret (0) oauth2_perl: EXPAND %{config:realm[**.com].oauth2.client_secret} (0) oauth2_perl: --> * rlm_perl: oauth2 worker (**.com): supervisor started (tid=1) rlm_perl: oauth2 worker (**.com): fetching discovery document rlm_perl: GET https://login.microsoftonline.com/******.com/v2.0/.well-known/openid-configuration rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: max-age=86400, private rlm_perl: Date: Thu, 31 Oct 2024 03:48:32 GMT rlm_perl: Content-Length: 1753 rlm_perl: Content-Type: application/json; charset=utf-8 rlm_perl: Access-Control-Allow-Methods: GET, OPTIONS rlm_perl: Access-Control-Allow-Origin: * rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: 40.126.16.166:443 rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=stamp2.login.microsoftonline.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" rlm_perl: Set-Cookie: fpc=AvlrhZcELFhAvbBdjGOTizE; expires=Sat, 30-Nov-2024 03:48:33 GMT; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: esctx=PAQABBwEAAADW6jl31mB3T7ugrWTT8pFea9guaRtj3SFyaBm-o-PxJbT4E7dWLB1oJN1WnbMjzrlXjm8S58ZAC6eRzI61uJyoIYRDMmuWYGWRLajfQSsUX0Uf9nfJoXcqaXViw07yZlAFSPwgXiKAqZPwWxU6d6hBwD9EAcphNFrGC_v66GxdHgeNkwRm7dBtX9GCrKnQP98gAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Ms-Ests-Server: 2.1.19267.5 - KRSLR1 ProdSlices rlm_perl: X-Ms-Request-Id: f6245ca9-dc7b-4b9b-99b6-f0b5b8955d00 rlm_perl: X-Ms-Srs: 1.P rlm_perl: X-XSS-Protection: 0 rlm_perl: rlm_perl: {"token_endpoint":"https://login.microsoftonline.com/168c5494-9d91-4231-9a1e-7a59be2db9de/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/168c5494-9d91-4231-9a1e-7a59be2db9de/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","... rlm_perl: (+ 1241 more bytes not shown) rlm_perl: oauth2 worker (**.com): started (tid=2) rlm_perl: oauth2 worker (**.com): sync rlm_perl: oauth2 worker (**.com): sync users rlm_perl: oauth2 worker (**.com): users page rlm_perl: oauth2 worker (**.com): fetching token rlm_perl: POST https://login.microsoftonline.com/168c5494-9d91-4231-9a1e-7a59be2db9de/oauth2/v2.0/token rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Content-Length: 182 rlm_perl: Content-Type: application/x-www-form-urlencoded rlm_perl: rlm_perl: client_id=**&client_secret=**&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-store, no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:32 GMT rlm_perl: Pragma: no-cache rlm_perl: Content-Length: 1661 rlm_perl: Content-Type: application/json; charset=utf-8 rlm_perl: Expires: -1 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: 40.126.16.166:443 rlm_perl: Client-Response-Num: 2 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=stamp2.login.microsoftonline.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" rlm_perl: Set-Cookie: fpc=AjEAy_ZrGshInT5KFo2qb7O0IxneAQAAABD1tN4OAAAA; expires=Sat, 30-Nov-2024 03:48:33 GMT; path=/; secure; HttpOnly; SameSite=None rlm_perl: Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Ms-Ests-Server: 2.1.19267.5 - SEASLR1 ProdSlices rlm_perl: X-Ms-Request-Id: 047767bb-10e3-4257-9ab0-3fd492fa0900 rlm_perl: X-Ms-Srs: 1.P rlm_perl: X-XSS-Protection: 0 rlm_perl: rlm_perl: {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0e...CZ1lE... rlm_perl: (+ 1149 more bytes not shown) rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$select=id,userPrincipalName,isResourceAccount,accountEnabled,lastPasswordChangeDateTime rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 0be83b62-cf21-49d1-8866-6c12eec99a58 rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 0be83b62-cf21-49d1-8866-6c12eec99a58 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 35445 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:33 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 8f60efe8-5bd8-4d7e-b5fd-d70ffc8c3fd3 rlm_perl: Client-Response-Num: 2 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 8f60efe8-5bd8-4d7e-b5fd-d70ffc8c3fd3 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 34694 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 570ded1b-2520-41dc-b946-a0ee96b5e477 rlm_perl: Client-Response-Num: 3 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 570ded1b-2520-41dc-b946-a0ee96b5e477 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 35858 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 8f5ec50e-a5ed-43e3-9834-088ad2755753 rlm_perl: Client-Response-Num: 4 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 8f5ec50e-a5ed-43e3-9834-088ad2755753 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41340 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:34 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 96c1bfa9-a253-4372-a849-c74aab5bd6d8 rlm_perl: Client-Response-Num: 5 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 96c1bfa9-a253-4372-a849-c74aab5bd6d8 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41468 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: abe74b78-fceb-4a9c-996b-8a021c293881 rlm_perl: Client-Response-Num: 6 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: abe74b78-fceb-4a9c-996b-8a021c293881 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41518 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 9bad7198-3466-49e7-8290-a4ee43f2530c rlm_perl: Client-Response-Num: 7 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 9bad7198-3466-49e7-8290-a4ee43f2530c rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41345 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: ea2dc1f2-74d0-4079-9a1b-16714850dfed rlm_perl: Client-Response-Num: 8 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: ea2dc1f2-74d0-4079-9a1b-16714850dfed rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41390 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:35 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 2dff08fb-0873-45d8-9c1f-735bb88ffcdb rlm_perl: Client-Response-Num: 9 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 2dff08fb-0873-45d8-9c1f-735bb88ffcdb rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41379 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: 3b166dc7-c064-4b69-b125-82399a92b5a6 rlm_perl: Client-Response-Num: 10 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: 3b166dc7-c064-4b69-b125-82399a92b5a6 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 41378 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:37 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: c4ef4c7b-c0fb-404b-af0c-428828537cf0 rlm_perl: Client-Response-Num: 11 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: c4ef4c7b-c0fb-404b-af0c-428828537cf0 rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 38449 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: Accept: application/json rlm_perl: Accept-Encoding: gzip, x-gzip, deflate, x-bzip2, bzip2 rlm_perl: Authorization: Bearer eyJ0eXAiO...HNtng rlm_perl: User-Agent: freeradius-oauth2-perl/0.2 (+https://github.com/jimdigriz/freeradius-oauth2-perl; libwww-perl/6.43) rlm_perl: Prefer: return=minimal rlm_perl: rlm_perl: (no content) rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-cache rlm_perl: Date: Thu, 31 Oct 2024 03:48:36 GMT rlm_perl: Vary: Accept-Encoding rlm_perl: Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8 rlm_perl: Client-Date: Thu, 31 Oct 2024 03:48:37 GMT rlm_perl: Client-Peer: 40.126.35.88:443 rlm_perl: Client-Request-Id: a861facb-8c4b-409f-bf60-b0b02115e26c rlm_perl: Client-Response-Num: 12 rlm_perl: Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA rlm_perl: Client-SSL-Cert-Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com rlm_perl: Client-SSL-Cipher: TLS_AES_256_GCM_SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Client-Transfer-Encoding: chunked rlm_perl: OData-Version: 4.0 rlm_perl: Preference-Applied: return=minimal rlm_perl: Request-Id: a861facb-8c4b-409f-bf60-b0b02115e26c rlm_perl: Strict-Transport-Security: max-age=31536000 rlm_perl: X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SG1PEPF00002016"}} rlm_perl: rlm_perl: @.**@.":"https://graph.microsoft.com/v1.0/users/delta?$skiptoken=... rlm_perl: (+ 36010 more bytes not shown) rlm_perl: oauth2 worker (**.com): users page rlm_perl: GET https://graph.microsoft.com/v1.0/users/delta?$skiptoken=...

jimdigriz commented 5 hours ago

Got to be careful, bearers are credentials, so pasting them in their entirety means the world and their dog have access to your Entra ID database does warn that plain text credentials are displayed); hopefully only your user/group listing but you may need to consider the impact of this.

The looping is normal, the troubleshooting does hint that this may occur, and if you have a large number of users or group memberships it can take some time to download the lot.

After a while, it can take a minute or so, it should settle down, and does it then start to work?