AzureAD OAuth Source - Profile URL Reset

Question

AzureAD OAuth Source - Profile URL Reset

martinadamsUL opened this issue 4 months ago · 5 comments

Describe the bug
The profile URL on the AzureAD OAuth Source on Federation and Social login keeps resetting.

Manually set this to https://graph.microsoft.com/v1.0/me and a few hours later it will set itself to the value of https://graph.microsoft.com/oidc/userinfo

This then gives my users the error

Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.

Setting the profile URL back to https://graph.microsoft.com/v1.0/me allows for authentication to continue

To Reproduce
Steps to reproduce the behavior:

Go to Federation and Social Login, create an AzureAD OAuth Source with a profile URL of https://graph.microsoft.com/v1.0/me (the default). Set user matching to mode to "Link to a user with an identical email address. Can have security implications when a source doesn't have a valid email address
Wait a couple of hours (less than 12 hours)
Try to log in to Authentik using AzureAD as a connected source and receive Request to authenticate with AzureAD has been denied. Please authenticate with the source you've previously signed up with.
Set profile URL in OAuth source back to https://graph.microsoft.com/v1.0/me and sucessfully complete login flow.

Expected behavior
Profile URL to stay as inputted value.

Screenshots

Version and Deployment (please complete the following information):

authentik version: 2024.4.2
Deployment: helm

Answer 1 · 2024-06-10T13:59:22.000Z

After some debugging, it looks like it's the well-known URL that's resetting this back to https://graph.microsoft.com/oidc/userinfo as this is what's in the OIDC response on Microsoft's end.

When using https://graph.microsoft.com/oidc/userinfo and trying to match on email, I will get the use the login method you previously used to signup message (or something to that effect).

I guess I'm hoping authentik can fully support the information given in the https://graph.microsoft.com/oidc/userinfo url - but for now I'm going to leave the well-known URL blank and hope my Profile URL stays https://graph.microsoft.com/v1.0/me

Answer 2 · 2024-06-13T00:02:20.000Z

+1 on this issue. I'm also going to remove the well-known URL as a temp workaround while I do some more research.

Answer 3 · 2024-06-27T18:49:53.000Z

+1 for the issue. My collegue had the same issue on 2024.4.2. My instance is running on 2024.2.2 and dont have the issue.
We upgraded now to 2024.6.0 to test is the issue perists

Answer 4 · 2024-06-27T19:11:03.000Z

I upgraded to 2024.6.0 earlier and created a new AzureAD Profile - whilst it didn't reset the profile URL (I deleted it not long after, I assume it would though) I wasn't able to successfully log in.

Answer 5 · 2024-06-27T19:12:53.000Z

FWIW, if it makes any difference, in my URLs on my AzureAD social profiles have \common\ replaced with \<my tenant ID>\