AADSTS50158: External security challenge not satisfied
philthynz opened this issue · 5 comments
So using this plugin our users are getting directed to Azure SSO, and after signing in they are redirected to the page "You're not authorized to access this page".
The web error log has:
2021.01.19 00:24:08 ERROR web[AXcWdB0cnQiTNP9tAAjM][o.a.a.a.AadIdentityProvider] Exception:java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.\r\nTrace ID: 31a1a782-2187-4e62-ba2b-9ac9ad709100\r\nCorrelation ID: ca367647-911e-4ac3-aba5-6fdb26473bc2\r\nTimestamp: 2021-01-19 00:24:08Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50158"}
We've seen this error in every browser. It may be worth noting that some users have a different domain in their UPN, however I don't think it matters.
We have checked in Azure and have seen the user logins are successful, even with MFA. Is it possible this plugin is not receiving the correct information back from Azure that the user login was successful?
As best as I can determine, this is an issue when using conditional access with multi-factor auth. The error message is from Azure itself.
I will take a look at those. But it seems strange for it to be working for other apps that have implement sso. It's just this plugin that's not working. It seems related to AzureAD/microsoft-authentication-library-for-js#617
@srvrguy We have checked our conditional access to policy. It simply says outside our known locations to require MFA.
I did some more testing...
From a normal internet connection, not our office (outside our known locations). If I use a private browser, and go to our sonarqube website, the login does not redirect to MFA. However in the same session if I go to the office portal, it immediately asks for MFA. Then refreshing the sonarqube website in the same browser session let's me in.
In the same location, if I open a private browser, and first go to office portal, sign in with MFA, then open our sonarqube website it lets me in.
So, the issue seems to be this plugin, or some config that has not been specified in the documentation. Where the plugin does not redirect to the MFA site to get a token.
Yes, that seems to be the cause. However, I don't have a configuration that can reproduce the problem, and even with MFA enabled by default when not using conditional access, I can't reproduce the issue. Note that I'm not using anything "fancy" like external MFA or ADFS or similar, and am not set up to test those flows.
The plugin itself doesn't really have the responsibility for redirecting for MFA. We hand off auth to login.microsoftonline.com (or the specific regional cloud if it's set) to handle authentication and then redirect back to SonarQube with an access token. It's the basic OAuth flow MS documents. Now, it's possible that this is an issue with the flow as implemented by the underlying ADAL4J library. That library is deprecated and the replacement of ADAL4J contains a lot of stuff this plugin doesn't need. I'm working on replacing it with the much simpler ScribeJava library, but due to various work and personal demands progress has been slow.
If you need something that will work immediately, you could try SonarQube's built-in SAML support. It's not quite as simple as this plugin, but it may fit your needs.
@srvrguy Thanks, really appreciate the feedback!
Yes, SAML will be our fallback, this plugin is our preferred method because it includes group and user provisioning.
Apparently that ADAL4J library does support conditional access:
Just looking at the examples from here, it includes some more logic to handle when the user doesn't have a token.
Is it possible this plugin can be updated to include some logic for conditional access? I understand that might be hard because you don't have any testing environment with conditional access enabled.