Closed schaefdavid closed 2 days ago
schaefdavid
commented
2 weeks ago I have solved the issue: the plugin forwared the OAUTH request to https://login.microsoftonline.com/{TENANT-ID}/oauth2/authorize - but correct is https://login.microsoftonline.com/{TENANT-ID}/oauth2/v2.0/authorize.
If you use the custom end point it is easily possible to set the own end points. Is it possible to change somewhere the endpoints?
picman
commented
2 weeks ago You can change change it just for Custom. I will update the endpoint for MS OAuth.
picman
commented
2 weeks ago That's strange. In my case: https://login.microsoftonline.com/{TENANT-ID}/oauth2/authorize works https://login.microsoftonline.com/{TENANT-ID}/oauth2/2.0/authorize doesn't work Maybe, there is a setting in Azure AD portal? I've no access there, so I don't know.
schaefdavid
commented
1 week ago Please check the help page: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential - here v2.0 is always included.
You missed a v in your second URL.
picman
commented
1 week ago As soon as I add there v2.0 I get
AADSTS650053: The application 'XXX' asked for scope 'user:email' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: xxx Correlation ID: xxx Timestamp: xxx
picman
commented
1 week ago From MS documentation:
The following examples suppose that your application is validating a v2.0 access token (and therefore reference the v2.0 versions of the OIDC metadata documents and keys). Just remove the "/v2.0" in the URL if you validate v1.0 tokens.
So, a solution might be to add a version in use, v2.0/v1.0, and then use corresponding URLs with or without v2.0 in the path.
picman
commented
1 week ago So I've added a new Version option to Azure AD configuration. The default is v1.0 => no chnage in URL. v2.0 => 'v.2.0' is added into the URL. Could you test devel branch?
Dear all,
we try to setup the plugin against MS Entra ID. The first steps are done. But at the end we get the following error message:
E, [2024-11-08T09:50:32.404651 #881319] ERROR -- : [467f4791-c360-4ed4-bdc2-d7ec1d98d8f7] interaction_required: AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges. Trace ID: 0acd787a-0955-4881-80c4-957d5ecc4c00 Correlation ID: 747c2212-3a3b-4a63-aa2d-8e8e4d257e34 Timestamp: 2024-11-08 08:50:32Z {"error":"interaction_required","error_description":"AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges. Trace ID: 0acd787a-0955-4881-80c4-957d5ecc4c00 Correlation ID: 747c2212-3a3b-4a63-aa2d-8e8e4d257e34 Timestamp: 2024-11-08 08:50:32Z","error_codes":[50158],"timestamp":"2024-11-08 08:50:32Z","trace_id":"0acd787a-0955-4881-80c4-957d5ecc4c00","correlation_id":"747c2212-3a3b-4a63-aa2d-8e8e4d257e34","error_uri":"https://login.microsoftonline.com/error?code=50158","suberror":"basic_action","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"010cbe0f-0895-42dc-964a-c7537094cbc4\"]}}}"}
Any ideas what does this mean? The authentcation itself was succesful.