[Bug]: Issue with OIDC Azure

[jozefrebjak]

Describe the problem

I have multiple issues with configuration of Azure OIDC.

1. There is some problem with scopes how are handled, it's look like it's trying to merge scopes like 1,2,3 but it should be handled one by one.

AADSTS650053: The application 'PowerAdmin' asked for scope 'openid,email,profile' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

If I change from default

'scopes' => 'openid email profile'

to only one required scope openid

'scopes' => 'opened'

process will continue, but after that I have an issue with redirect URL.

2. Redirect URL issue

I'm running PowerAdmin as Docker container in docker swarm mode with Traefik in front of and somehow it's trying to use HTTP instead of HTTPS in communication with Azure.

HTTP redirect urls are not allowed only for http:localhost

So it' fail with message

AADSTS50011: The redirect URI 'http://poweradmin.example.com/oidc/callback' specified in the request does not match the redirect URIs configured for the application 'MY_TENANT_ID'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

3. metadata URL issue

In default configuration is a type of URL

https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid_configuration

Should be

https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

Steps to reproduce

Conf issues

Poweradmin version

latest

Database

MariaDB

Additional information (optional)

No response

[edmondas]

@jozefrebjak Thanks for taking the lead and testing the latest bleeding-edge code. The code was pushed without proper testing, but good findings anyway.

[edmondas]

@jozefrebjak I've resolved the OIDC issues after the initial implementation lacked proper testing. It should now work with Azure AD, though I had to modify the database users table to store authentication method info (use_ldap will be removed later). I've included a working configuration below. Could you run another testing round to verify everything works as expected?

    /**
     * OIDC (OpenID Connect) Authentication Settings
     */
    'oidc' => [
        'enabled' => true,
        'auto_provision' => true,
        'link_by_email' => true,
        'sync_user_info' => true,
        'default_permission_template' => 'Administrator', # Only for testing
        #'permission_template_mapping' => [
        #    'PoweradminAdmins' => 'Administrator',
        #],
        'providers' => [
            'azure' => [
                'name' => 'Microsoft Azure AD',
                'display_name' => 'Sign in with Microsoft',
                'client_id' => 'YOUR_CLIENT_IT',
                'client_secret' => 'CLIENT_SECRET',
                'tenant' => 'TENANT_ID',
                'auto_discovery' => true,
                'metadata_url' => 'https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration',
                'scopes' => 'openid profile email',
                'user_mapping' => [
                    'username' => 'email',
                    'email' => 'email',
                    'first_name' => 'given_name',
                    'last_name' => 'family_name',
                    'display_name' => 'name',
                    'groups' => 'groups',
                    'subject' => 'sub',
                ]
            ]
        ]
    ],

[edmondas]

I also have this logging block, though messages may get truncated in php-fpm environments for reasons I haven't identified yet.

    /**
     * Logging Settings
     */
    'logging' => [
        'type' => 'native',
        'level' => 'debug',
    ],

[jozefrebjak]

@edmondas It's closer to work, but now I'm got

Authentication failed: Unable to create or update user account

[jozefrebjak]

@edmondas maybe I need to update database schema, I let it know

[jozefrebjak]

@edmondas After update of database schema it works, I'l update also docker entrypoint to make it work. Thanks

[jozefrebjak]

@edmondas It will be nice to have an option to disable local AUTH and leave only OIDC method like Azure. Thanks