AzureAD OAuth Source - Profile URL Reset
martinadamsUL opened this issue · 5 comments
Describe the bug
The profile URL on the AzureAD
OAuth Source on Federation and Social login keeps resetting.
Manually set this to https://graph.microsoft.com/v1.0/me
and a few hours later it will set itself to the value of https://graph.microsoft.com/oidc/userinfo
This then gives my users the error
Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.
Setting the profile URL back to https://graph.microsoft.com/v1.0/me
allows for authentication to continue
To Reproduce
Steps to reproduce the behavior:
- Go to Federation and Social Login, create an AzureAD OAuth Source with a profile URL of
https://graph.microsoft.com/v1.0/me
(the default). Set user matching to mode to "Link to a user with an identical email address. Can have security implications when a source doesn't have a valid email address - Wait a couple of hours (less than 12 hours)
- Try to log in to Authentik using AzureAD as a connected source and receive
Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.
- Set profile URL in OAuth source back to
https://graph.microsoft.com/v1.0/me
and sucessfully complete login flow.
Expected behavior
Profile URL to stay as inputted value.
Version and Deployment (please complete the following information):
- authentik version: 2024.4.2
- Deployment: helm
After some debugging, it looks like it's the well-known
URL that's resetting this back to https://graph.microsoft.com/oidc/userinfo
as this is what's in the OIDC response on Microsoft's end.
When using https://graph.microsoft.com/oidc/userinfo
and trying to match on email, I will get the use the login method you previously used to signup
message (or something to that effect).
I guess I'm hoping authentik can fully support the information given in the https://graph.microsoft.com/oidc/userinfo
url - but for now I'm going to leave the well-known
URL blank and hope my Profile URL
stays https://graph.microsoft.com/v1.0/me
+1 on this issue. I'm also going to remove the well-known URL as a temp workaround while I do some more research.
+1 for the issue. My collegue had the same issue on 2024.4.2. My instance is running on 2024.2.2 and dont have the issue.
We upgraded now to 2024.6.0 to test is the issue perists
I upgraded to 2024.6.0 earlier and created a new AzureAD Profile - whilst it didn't reset the profile URL (I deleted it not long after, I assume it would though) I wasn't able to successfully log in.
FWIW, if it makes any difference, in my URLs on my AzureAD social profiles have \common\
replaced with \<my tenant ID>\