SSO Azure AD: Failed to parse server response #8
Comments
|
Hey, This part is handled by the There is some workaround mentioned but at the moment I do not expect to integrate it in the PR since the review is already half blocked due to the complexity. |
|
What a pity that Microsoft is again unable to follow the standards. All the best for the PR, brings vaultwarden a big step forward. |
|
@Timshel Would it be worthwhile for me to look into e.g. Keycloak to relay the authentication to Azure AD and play middleman between Vaultwarden and Azure AD? |
I don't have any input on it other than :
|
|
Great success. I used Keycloak as Identity broker and it worked like a charm. It was sufficient to add Entra ID as default Identity Provider and Vaultwarden as client. in Keycloak. And voila, everything fine. So from my point of view I am fine with the solution as Microsoft didn't fix it for over 3 years and so we dont have to add additional burdens on the PR. Hopefully the solution will also be helpful to others who use (or must use) Entra ID as an identity provider. |
|
This is weird, I'm using Entra ID with my setup and it's works, quite well. I've got 25 users and we have the setting to requirec login with sso. |
Did you also use the image simonc/vaultwarden:latest for testing? |
|
I built my own image from source. Months ago I originally started with an earlier version of the SSO pr and updated it but I'm pretty sure I'm just using the code from this repo. This was the last time I pulled the code, I was swapping branches so I could compare/reconcile the db migrations. |
|
Interesting, do you also use the same endpoint? SSO_AUTHORITY=https://sts.windows.net/Entra-ID/ |
|
Ah no I'm using the one starting with |
|
I checked the config and I'm using |
|
Was referred to this thread. Is it just a matter of using https://login.microsoftonline.com/tenantguid/v2.0 We have access to premier support, I can try to open a ticket on this with Microsoft but I don't have a clear understanding of what is amiss at the AzureAD side. |
|
It seems so, that the v2 endpoint https://login.microsoftonline.com/tenantguid/v2.0 should work. (https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) |
|
Awesome, it works <:o) .env So its the magic of v2 endpoint at https://login.microsoftonline.com/tenantguid/v2.0 |
|
Great result. We should perhaps update the doc in the pr to give the tip regarding entra id, make sure you use the v2 endpoint. |
|
As far as I am aware v1 should only be used for Entra Id specific applications anyway. Microsoft itself recommends to only use v2 for external applications and uses that one mainly in their documentation. |
|
Ah, then it's not worth opening a ticket with Microsoft about this. We use this base url for other types of flows as well. It's a bit awkward but it does work. Will try to verify as well. |
https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc If you follow the guide it will point you to the v2 endpoint. |
|
Some hint in the doc would be great to minimize support requests. Easiest way to retrieve the individual v2 endpoint: https://entra.microsoft.com/ |
|
@sandervandegeijn So far it works for all of us. Did you have time to verify it on your side? |
|
Not entirely, I think our IAM-team forgot to check one option on the Azure side. Unfortunately I can't change this myself and it's new years eve this weekend. Give me a couple of days :) |
|
The scopes in the docs were very helpful, but I'm still running into a problem: 
We have configured the scopes as per the docs, but running into this error. Clicking the return to application gives a 404 and errors in the logs: │ [2024-01-02 08:50:57.507][vaultwarden::api::identity::][WARN] Query string failed to match route declaration. │ |
|
For us in the enterprise app permissions it was fine to only set as below. Didnt touch scopes at all.
|
|
It was de admin that needed to set the right consent property. After that, it's working like a charm! The only exception is that the return url in the error screens goes to a page that doesn't exist on vaultwarden. |
|
Great. Which return urls in which error screens? |
|
The bottom link in this screenshot:
Returns to vaulwarden but gives a 404. |
|
Shouldnt that link redirct to Entra ID to confirm as global administrator the application for all users? When the consent is set right, the message above should never appear and no user get bothered with it, or? |
|
It's not visible in the default flow idd, it only shows when there is an error. The link points to: https://vaultwarden.url/identity/connect/oidc-signin?error=access_denied&error_subcode=cancel&state=xxxxxx |
No idea why, but same behavior (using the v2.0 endpoint). Also tried using Did I miss simething or do you guys also face this problem? |
Yes the endpoint was made to handle only the happy case. @ArturKokoszka it appears the exchange of the return code for the id_token and access_token fail. |
|
Sorry for bothering you, I just recreated secret in Entra and the new value worked like a charm. Probably the old one contained a problematic character that wasn't properly parsed on some stage or something. |
Do you still have the old secret value ? I could test it to check if I find a failure.
Yes the |
|
Hey, As mentioned the cleaner version relies on another patch to the frontend so you'll have to run the |
|
No, sorry, I don't have the old value, but I remember that it contained a dot |
|
This seems okay on my side. |
|
@Kofl working on your side ? :) |
|
@Timshel all working fine, thanks |
Hi,
really, really great work on the SSO integration of Vaultwarden.
I try to test the implementation with Azure AD (Entra ID), redirect via login to Microsoft works fine, also redirect back, but then it hangs on Logging in and error log shows:
Setup below, can I increase the verbose output somehow?
Thanks
published via Caddy https reverse proxy on https://vault.mydomain.com
.env
As redirect URL on Azure AD: https://vault.mydomain.com/identity/connect/oidc-signin is used.
The text was updated successfully, but these errors were encountered: