You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have been using Authentik as part of our default stack for close to a year, and almost exclusively has used OIDC with Azure AD without issue. We now have two customers where this is not working, and the common thread is that both of their tenants are in GCC High.
Authentication appears to be working. Using the browser developer tools I can see the request sent to the authorize endpoint succeeds with a 302 response and cookies are set. Also, subsequent requests no longer redirect to Azure, further suggesting that authentication was successful. Deleting the cookies resets the session and forces re-authentication. The standard toast notification that appears in the top-right of the window reports the following: Authentication failed: Could not retrieve profile.
Following is a heavily redacted copy of the log entries that result from the error. I modified the URLs, IP addresses, and the code.
followed by 6 null characters, and then the following (which appears to be truncated -- perhaps that is an issue with how portainer captures the logs...I don't know where the authentik logs are on the server...I'm still searching):
When using GCC High, the domain is different. As opposed to the normal login.microsoftonline.com domain, login.microsoft.us is used instead. While the Profile URL should be graph.microsoft.us/oidc/userinfo, I have tried various other URLs as well, for both OIDC v1 and v2, and even using the standard domain. Nothing works.
It looks very much like there is a problem passing the authorization token.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
We have been using Authentik as part of our default stack for close to a year, and almost exclusively has used OIDC with Azure AD without issue. We now have two customers where this is not working, and the common thread is that both of their tenants are in GCC High.
Authentication appears to be working. Using the browser developer tools I can see the request sent to the authorize endpoint succeeds with a 302 response and cookies are set. Also, subsequent requests no longer redirect to Azure, further suggesting that authentication was successful. Deleting the cookies resets the session and forces re-authentication. The standard toast notification that appears in the top-right of the window reports the following: Authentication failed: Could not retrieve profile.
Following is a heavily redacted copy of the log entries that result from the error. I modified the URLs, IP addresses, and the code.
followed by 6 null characters, and then the following (which appears to be truncated -- perhaps that is an issue with how portainer captures the logs...I don't know where the authentik logs are on the server...I'm still searching):
When using GCC High, the domain is different. As opposed to the normal
login.microsoftonline.com
domain,login.microsoft.us
is used instead. While the Profile URL should begraph.microsoft.us/oidc/userinfo
, I have tried various other URLs as well, for both OIDC v1 and v2, and even using the standard domain. Nothing works.It looks very much like there is a problem passing the authorization token.
Beta Was this translation helpful? Give feedback.
All reactions