Cannot connect to ODD Platform after configuring Azure Identity Provider

Question

Cannot connect to ODD Platform after configuring Azure Identity Provider

Closed this issue 15 days ago · 3 comments

Describe the bug
The platform keeps returning Invalid Credentials

Set up
Deployed via Helm, latest chart version. Configuration for Azure provider:

    auth:
      type: OAUTH2
      oauth2:
        client:
          azure:
            provider: 'azure'
            azure-tenant-id: "$(AZURE_TENANT_ID)"
            client-id: "$(OddPlatformAzureAuthClientId)"
            client-secret: "$(OddPlatformAzureAuthClientSecret)"
            client-name: azure
            redirect-uri: "https://datagovernance$(NewGlobeGlobalHostNameSuffix)/login/oauth2/code/azure"
            scope:
              - openid
              - offline_access
              - https://graph.microsoft.com/user.read
            authorization-uri: https://login.microsoftonline.com/${auth.oauth2.client.azure.azure-tenant-id}/oauth2/v2.0/authorize
            token-uri: https://login.microsoftonline.com/${auth.oauth2.client.azure.azure-tenant-id}/oauth2/v2.0/token
            user-info-uri: https://graph.microsoft.com/oidc/userinfo
            user-name-attribute: email
            admin-attribute: email
            admin-principals:
              - stefano.messina@uat.newglobe.education

Expected behavior
Able to login

Screenshots

Additional Context
My Azure credentials are correct, as I'm able to login to all other services in our organization.

Answer 1 · 2024-10-30T08:25:16.000Z

Related tickets:

#1162
#1216

Answer 2 · 2024-11-19T16:03:42.000Z

Some debug logs:

2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/api/referencedata/table/{lookup_table_id}/data', method=POST}
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization failed: Access Denied
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'POST /api/referencedata/table/{lookup_table_id}/data'
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/api/referencedata/table/{lookup_table_id}/data/{row_id}', method=PUT}
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'PUT /api/referencedata/table/{lookup_table_id}/data/{row_id}'
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/api/referencedata/table/{lookup_table_id}/data/{row_id}', method=DELETE}
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'DELETE /api/referencedata/table/{lookup_table_id}/data/{row_id}'
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/**', method=null}
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Checking match of request : '/'; against '/**'
2024-11-19T16:01:07.709Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
2024-11-19T16:01:07.710Z DEBUG 1 --- [or-http-epoll-3] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@1672486c
2024-11-19T16:01:07.710Z DEBUG 1 --- [or-http-epoll-3] ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.session.web.server.session.SpringSessionWebSessionStore$SpringSessionWebSession@3a366ec'
2024-11-19T16:01:07.715Z DEBUG 1 --- [or-http-epoll-4] ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.session.web.server.session.SpringSessionWebSessionStore$SpringSessionWebSession@616568ac'
2024-11-19T16:01:07.715Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization failed: Access Denied
2024-11-19T16:01:07.715Z DEBUG 1 --- [or-http-epoll-4] DelegatingServerAuthenticationEntryPoint : Trying to match using AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, NegatedServerWebExchangeMatcher{matcher=AndServerWebExchangeMatcher{matchers=[OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}, AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, MediaTypeRequestMatcher [matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]}]}}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=AndServerWebExchangeMatcher{matchers=[OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}, AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, MediaTypeRequestMatcher [matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]}]}}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /login'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /favicon.ico'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Did not match
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : All requestMatchers returned true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] DelegatingServerAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint@3fadfd7a
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/**', method=GET}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/**', method=GET}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] athPatternParserServerWebExchangeMatcher : Checking match of request : '/'; against '/**'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/favicon.*', method=null}]}}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/favicon.*', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /favicon.*'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using MediaTypeRequestMatcher [matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[*/*]]
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.u.m.MediaTypeServerWebExchangeMatcher : httpRequestMediaTypes=[]
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.u.m.MediaTypeServerWebExchangeMatcher : Did not match any media types
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Did not match
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-4] o.s.s.w.s.DefaultServerRedirectStrategy  : Redirecting to '/oauth2/authorization/azure'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.session.web.server.session.SpringSessionWebSessionStore$SpringSessionWebSession@3a366ec'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] DelegatingServerAuthenticationEntryPoint : Trying to match using AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, NegatedServerWebExchangeMatcher{matcher=AndServerWebExchangeMatcher{matchers=[OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}, AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, MediaTypeRequestMatcher [matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]}]}}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=AndServerWebExchangeMatcher{matchers=[OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}, AndServerWebExchangeMatcher{matchers=[NegatedServerWebExchangeMatcher{matcher=org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2LoginSpec$$Lambda$1252/0x00000008015542d8@1288d014}, MediaTypeRequestMatcher [matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]}]}}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}, PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /login'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/favicon.ico', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /favicon.ico'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Did not match
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : All requestMatchers returned true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] DelegatingServerAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint@3fadfd7a
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/**', method=GET}]}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/**', method=GET}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Checking match of request : '/'; against '/**'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using NegatedServerWebExchangeMatcher{matcher=OrServerWebExchangeMatcher{matchers=[PathMatcherServerWebExchangeMatcher{pattern='/favicon.*', method=null}]}}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/favicon.*', method=null}
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] athPatternParserServerWebExchangeMatcher : Request 'GET /' doesn't match 'null /favicon.*'
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .w.s.u.m.NegatedServerWebExchangeMatcher : matches = true
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Trying to match using MediaTypeRequestMatcher [matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[*/*]]
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.u.m.MediaTypeServerWebExchangeMatcher : httpRequestMediaTypes=[]
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.u.m.MediaTypeServerWebExchangeMatcher : Did not match any media types
2024-11-19T16:01:07.716Z DEBUG 1 --- [or-http-epoll-3] .s.s.w.s.u.m.AndServerWebExchangeMatcher : Did not match
2024-11-19T16:01:07.717Z DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.DefaultServerRedirectStrategy  : Redirecting to '/oauth2/authorization/azure'

Answer 3 · 2024-12-17T13:05:52.000Z

It turned out the UserInfo returned by Azure had no email field in it.