OIDC Azure AD auth Config

Hi guys,

I am attempting to get Open ID Connect working with Azure AD. I am following both the OOD Open ID Connect and Open OnDemand - Leo's Notes documentation. All I get is “Your email address and/or password do not match”. There is nothing in the apache logs and no other logging that I can find for troubleshooting. The response is very quick like the host is not even getting to Azure. The host is behind a proxy but all http and https traffic is proxied. Do I need another port opened to connect with Azure?

I am not 100% sure on the oidc_remote_user_claim or the oidc_scope as I haven’t been able to find a lot documentation and the terms are vague in the Azure .well-known/openid-configuration.

Any help appreciated.

host was working with local auth…
relevant portion of the ood_portal.yml

servername: openondemand.ads-test.otago.ac.nz

ssl:
  - 'SSLCertificateFile "PATH_TO_CERT"'
  - 'SSLCertificateKeyFile "PATH_TO_KEY"'

auth:
  - "AuthType openid-connect"
  - "Require valid-user"

# Use OIDC logout
logout_redirect: "/oidc/?logout=https%3A%2F%2Fopenondemand.OUR_DOMAIN/"

user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex='^(.+)@OUR_DOMAIN' "

oidc_uri: "/oidc/"
oidc_provider_metadata_url: "https://sts.windows.net/OUR_TENANT_ID/.well-known/openid-configuration"
oidc_client_id: "MYCLIENT_ID"
oidc_client_secret: "MY_SECRET_HERE"
oidc_remote_user_claim: "preferred_username"
oidc_scope: "openid profile email"
oidc_session_inactivity_timeout: 28800
oidc_session_max_duration: 28800
oidc_state_max_number_of_cookies: "10 true"
oidc_settings:
  OIDCPassIDTokenAs: "serialized"
  OIDCPassRefreshToken: "On"
  OIDCPassClaimsAs: "environment"
  OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"

Hello and thanks for posting!

Sorry about the trouble. Looking at the config I don’t see anything wrong except (and I doubt this is the issue) the line:

oidc_uri: "/oidc/"

Maybe try to remove that trailing slash:

oidc_uri: "/oidc"

But if that doesn’t work we will need to do a deeper dive.

It would be helpful to see what things look like when the request leaves. To do that the dev tools can maybe gives us some clues.

If you would, try following these steps:

  • press F12 in the browser (assuming you are on chrome or firefox).
  • From within the dev console select the “Network” tab.
  • Now try to go through the authentication with this tab open and see what the browser is returning for the status codes and you can click on the file to examine the headers and response.

If any of that gets confusing please let me know and I can try to post some screen shots to help guide you.

Otherwise, if you could post what you see in that tab when making the request that would be a big help. Thanks!

Hi Travis,

Thanks!

I made the change to the oidc_uri as you suggested with no change to the behavior or to the dev console output. I’m not seeing anything to confirm that my browser is attempting to connect to Azure.

POST
	https://openondemand.ads-test.otago.ac.nz:5554/auth/local?req=zt5skr5wytpxjx2wd24rjre5m

Response headers

HTTP/2 200 OK
content-type: text/html; charset=utf-8
content-length: 2457
date: Tue, 28 Jun 2022 23:48:40 GMT
X-Firefox-Spdy: h2

Request headers

POST /auth/local?req=zt5skr5wytpxjx2wd24rjre5m HTTP/2
Host: openondemand.ads-test.otago.ac.nz:5554
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: https://openondemand.ads-test.otago.ac.nz:5554
DNT: 1
Connection: keep-alive
Referer: https://openondemand.ads-test.otago.ac.nz:5554/auth/local?req=zt5skr5wytpxjx2wd24rjre5m
Cookie: _ga_JT5TM69V4J=GS1.1.1656286328.2.0.1656286335.0; _ga=GA1.1.807387692.1655946671; _gcl_au=1.1.1714899585.1655947908; mod_auth_openidc_state_6R0UhfRBZydwYbG5F6YQJfp2DP8=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..26nzHCZukoTPrmqv.okzYF8S_0ZqCnECIHx26Sc8sZ2dPz4lDVqF3VQycvTOLoUAMa-1DXcL1by2Hou69yRweLqzubd6zjnqFcwaFVydfSZuMA2cGf0pfszNIBcL8o7IadChXPwqZA0VWXr4vL4NSJcFHtX9qQASts656x7BsDrr1mZ4PuHE237_XMvo_xAnpr7FkqnZXNO4A3S7I4-Lkc3mQQuCloGxkvGl1mjNj23KO-Bf4b4pwC7AlMOYobxh5Wd1UZnOb1lyvRxK6QQw_qVdMa9QwbbspgKyAyPb-tmSqtQwouwt6si0rAYpoAfrCHq0HQD87Aa2YkxJu9agnVdciZ-UTExY5HCa9cNG3lCFet7uyKeOTQDSgOS21cO_U5B-gB4bi0O9EiKVlFmu6t29PKuypz0IPCz-TElpfjMqpygoKGuOn2fM8KZww0YtK9GjZRHXG3qKHCpURr7cZDWi8x79dkA.HNTt_FKYEHOEZHTWVoUSOQ
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
TE: trailers

I have been able to get passed this issue. Dex was installed and was taking precedence over OIDC. Once I uninstalled Ondemand Dex I was able to get mod_auth_openidc calling to Azure and authenticating.