I am attempting to get Open ID Connect working with Azure AD. I am following both the OOD Open ID Connect and Open OnDemand - Leo's Notes documentation. All I get is “Your email address and/or password do not match”. There is nothing in the apache logs and no other logging that I can find for troubleshooting. The response is very quick like the host is not even getting to Azure. The host is behind a proxy but all http and https traffic is proxied. Do I need another port opened to connect with Azure?
I am not 100% sure on the oidc_remote_user_claim or the oidc_scope as I haven’t been able to find a lot documentation and the terms are vague in the Azure .well-known/openid-configuration.
Any help appreciated.
host was working with local auth…
relevant portion of the ood_portal.yml
- 'SSLCertificateFile "PATH_TO_CERT"'
- 'SSLCertificateKeyFile "PATH_TO_KEY"'
- "AuthType openid-connect"
- "Require valid-user"
# Use OIDC logout
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex='^(.+)@OUR_DOMAIN' "
oidc_scope: "openid profile email"
oidc_state_max_number_of_cookies: "10 true"
OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"
Hello and thanks for posting!
Sorry about the trouble. Looking at the config I don’t see anything wrong except (and I doubt this is the issue) the line:
Maybe try to remove that trailing slash:
But if that doesn’t work we will need to do a deeper dive.
It would be helpful to see what things look like when the request leaves. To do that the dev tools can maybe gives us some clues.
If you would, try following these steps:
- press F12 in the browser (assuming you are on chrome or firefox).
- From within the dev console select the “Network” tab.
- Now try to go through the authentication with this tab open and see what the browser is returning for the status codes and you can click on the file to examine the headers and response.
If any of that gets confusing please let me know and I can try to post some screen shots to help guide you.
Otherwise, if you could post what you see in that tab when making the request that would be a big help. Thanks!
I made the change to the oidc_uri as you suggested with no change to the behavior or to the dev console output. I’m not seeing anything to confirm that my browser is attempting to connect to Azure.
HTTP/2 200 OK
content-type: text/html; charset=utf-8
date: Tue, 28 Jun 2022 23:48:40 GMT
POST /auth/local?req=zt5skr5wytpxjx2wd24rjre5m HTTP/2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept-Encoding: gzip, deflate, br
Cookie: _ga_JT5TM69V4J=GS1.1.16562863188.8.131.526286335.0; _ga=GA1.1.807387692.1655946671; _gcl_au=1.1.1714899585.1655947908; mod_auth_openidc_state_6R0UhfRBZydwYbG5F6YQJfp2DP8=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..26nzHCZukoTPrmqv.okzYF8S_0ZqCnECIHx26Sc8sZ2dPz4lDVqF3VQycvTOLoUAMa-1DXcL1by2Hou69yRweLqzubd6zjnqFcwaFVydfSZuMA2cGf0pfszNIBcL8o7IadChXPwqZA0VWXr4vL4NSJcFHtX9qQASts656x7BsDrr1mZ4PuHE237_XMvo_xAnpr7FkqnZXNO4A3S7I4-Lkc3mQQuCloGxkvGl1mjNj23KO-Bf4b4pwC7AlMOYobxh5Wd1UZnOb1lyvRxK6QQw_qVdMa9QwbbspgKyAyPb-tmSqtQwouwt6si0rAYpoAfrCHq0HQD87Aa2YkxJu9agnVdciZ-UTExY5HCa9cNG3lCFet7uyKeOTQDSgOS21cO_U5B-gB4bi0O9EiKVlFmu6t29PKuypz0IPCz-TElpfjMqpygoKGuOn2fM8KZww0YtK9GjZRHXG3qKHCpURr7cZDWi8x79dkA.HNTt_FKYEHOEZHTWVoUSOQ
I have been able to get passed this issue. Dex was installed and was taking precedence over OIDC. Once I uninstalled Ondemand Dex I was able to get mod_auth_openidc calling to Azure and authenticating.