Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pitfalls setting up OIDC with ADFS #148

Open
spryffee opened this issue Feb 27, 2023 · 2 comments
Open

Pitfalls setting up OIDC with ADFS #148

spryffee opened this issue Feb 27, 2023 · 2 comments

Comments

@spryffee
Copy link

Hello. Thanks all who maintain and contribute to this gem.

I use it for SSO with ADFS in my project. While setting up I was getting the error

...
DEBUG -- omniauth: (openid_connect) Callback phase initiated.
ERROR -- omniauth: (openid_connect) Authentication failure! Access Token Invalid or Expired: OpenIDConnect::Unauthorized, Access Token Invalid or Expired
...

which made me banging my head on the keyboard, because the error message was quite far from the original issue. I dived into the library with prints to figure it out. As I understood, the problem is that AD FS UserInfo endpoint does not expect client requests additional claims, it simply does not support it (ADFS FAQ)
So, the original error returned by provider when client requests userinfo_endpoint on callback phase is below

MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:<my_identifier>' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'.

Thanks extra_authorize_params option I was able to set the resource uri that the provider expects. Here is my working config

Rails.application.config.middleware.use OmniAuth::Builder do
  provider  :openid_connect,
            scope: ['openid', 'profile', 'email'],
            issuer: 'https://provider.example.com/adfs',
            extra_authorize_params: {"resource": "urn:microsoft:userinfo"},
            discovery: true,
            client_options: {
              port: 443,
              scheme: 'https',
              host: 'provider.example.com',
              authorization_endpoint: 'https://provider.example.com/adfs/oauth2/authorize',
              token_endpoint: 'https://provider.example.com/adfs/oauth2/token',
              userinfo_endpoint: 'https://provider.example.com/adfs/userinfo',
              identifier: ENV["OIDC_IDENTIFIER"],
              secret: ENV["OIDC_SECRET"],
              redirect_uri: "https://example.com/auth/openid_connect/callback"
            }
end

Maybe it makes sense to add a note about resource uri for AD FS. Or maybe to add an option that skips requesting userinfo_endpoint at all. What do you think?
I'm not sure it is the case for having another omniauth provider.

P.S. Minor NOTE for those who will be using this as manual. After fixing the issue, you may still be getting "Access Token Invalid or Expired" again from time to time. In my case it totally gone after I configured ntp on server.
@davidwessman
Copy link
Contributor

I am not 100% on what your problem is caused by, but I am also in need to skipping requesting the userinfo_endpoint #145.
But it seems to be used for access_tokens somehow

@petewalker petewalker mentioned this issue Jan 25, 2024
Open
@metanerd
Copy link

metanerd commented Mar 7, 2024

Thank you for opening this issue! I encountered the same error trying to use AD FS issuer with openid_connect on a self-managed GitLab. Applying your suggestions, spryffee, I encounter now a different error:
Sign-in using Openid Connect auth failed: Email can't be blank . I got one step further thanks to your invested time. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidwessman @metanerd @spryffee