Troubleshooting OIDC Setup with Azure: Verifying Scopes and Missing Azure Configuration

Original Slack Thread

Hi, trying to set up OIDC with Azure, and getting an error message:
2023-11-08 11:48:15,551 [application-akka.actor.default-dispatcher-13] ERROR controllers.AuthenticationController - Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configured
I’ve tried:
:white_check_mark: Confirming the callback url is correct in .env and on Azure setup
:white_check_mark: Successully curling the discovery url from where datahub-frontend container is running
:white_check_mark: Double checked that all env and secrets are present, correct and available
:white_check_mark: Checked scopes supported, and they cover the scopes set in scope env file
Not sure what else to check. I don’t have access to the Azure setup myself, but I have contact with the person in charge there. Any ideas on what to try next?

Anybody who knows?

Hey Petter, apologies for the delayed response here! This thread might be relevant https://datahubspace.slack.com/archives/C029A3M079U/p1697698280275589

Or perhaps this one https://datahubspace.slack.com/archives/C029A3M079U/p1689679171836099

Hmm, not finding the solution in either of these. After enabling the verbose logging I get some extra information:
The scope must include an "openid" value at
My configuration looks like this, which checks out with the Azure configuration:
AUTH_OIDC_SCOPE="openid profile email"
Any thoughts?

Full error:
2023-11-21 11:26:58,777 [application-akka.actor.default-dispatcher-9] ERROR controllers.AuthenticationController - Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configuredorg.pac4j.core.exception.TechnicalException: com.nimbusds.oauth2.sdk.ParseException: The scope must include an "openid" value at org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.buildAuthenticationRequestUrl(OidcRedirectionActionBuilder.java:125) at org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.getRedirectionAction(OidcRedirectionActionBuilder.java:83) at org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:110) at controllers.AuthenticationController.redirectToIdentityProvider(AuthenticationController.java:284) at controllers.AuthenticationController.authenticate(AuthenticationController.java:105) at router.Routes$$anonfun$routes$1.$anonfun$applyOrElse$11(Routes.scala:609) at play.core.routing.HandlerInvokerFactory$$anon$8.resultCall(HandlerInvoker.scala:150) at play.core.routing.HandlerInvokerFactory$$anon$8.resultCall(HandlerInvoker.scala:149) at play.core.routing.HandlerInvokerFactory$JavaActionInvokerFactory$$anon$3$$anon$4$$anon$5.invocation(HandlerInvoker.scala:115) at play.core.j.JavaAction$$anon$1.call(JavaAction.scala:119) at play.http.DefaultActionCreator$1.call(DefaultActionCreator.java:33) at play.core.j.JavaAction.$anonfun$apply$8(JavaAction.scala:175) at scala.concurrent.Future$.$anonfun$apply$1(Future.scala:659) at scala.util.Success.$anonfun$map$1(Try.scala:255) at scala.util.Success.map(Try.scala:213) at scala.concurrent.Future.$anonfun$map$1(Future.scala:292) at scala.concurrent.impl.Promise.liftedTree1$1(Promise.scala:33) at scala.concurrent.impl.Promise.$anonfun$transform$1(Promise.scala:33) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64) at play.core.j.HttpExecutionContext.$anonfun$execute$1(HttpExecutionContext.scala:64) at play.api.libs.streams.Execution$trampoline$.execute(Execution.scala:70) at play.core.j.HttpExecutionContext.execute(HttpExecutionContext.scala:59) at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:72) at scala.concurrent.impl.Promise$KeptPromise$Kept.onComplete(Promise.scala:372) at scala.concurrent.impl.Promise$KeptPromise$Kept.onComplete$(Promise.scala:371) at scala.concurrent.impl.Promise$KeptPromise$Successful.onComplete(Promise.scala:379) at scala.concurrent.impl.Promise.transform(Promise.scala:33) at scala.concurrent.impl.Promise.transform$(Promise.scala:31) at scala.concurrent.impl.Promise$KeptPromise$Successful.transform(Promise.scala:379) at scala.concurrent.Future.map(Future.scala:292) at scala.concurrent.Future.map$(Future.scala:292) at scala.concurrent.impl.Promise$KeptPromise$Successful.map(Promise.scala:379) at scala.concurrent.Future$.apply(Future.scala:659) at play.core.j.JavaAction.apply(JavaAction.scala:176) at play.api.mvc.Action.$anonfun$apply$4(Action.scala:82) at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$4(Accumulator.scala:168) at scala.util.Try$.apply(Try.scala:213) at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$3(Accumulator.scala:168) at play.api.libs.streams.StrictAccumulator.run(Accumulator.scala:199) at play.core.server.AkkaHttpServer.$anonfun$runAction$4(AkkaHttpServer.scala:423) at akka.http.scaladsl.util.FastFuture$.strictTransform$1(FastFuture.scala:41) at akka.http.scaladsl.util.FastFuture$.$anonfun$transformWith$3(FastFuture.scala:51) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64) at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:63) at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:100) at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85) at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:100) at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:49) at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48) at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290) at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020) at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656) at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594) at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)Caused by: com.nimbusds.oauth2.sdk.ParseException: The scope must include an "openid" value at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1500) at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1423) at org.pac4j.oidc.redirect.OidcRedirectionActionBuilder.buildAuthenticationRequestUrl(OidcRedirectionActionBuilder.java:122) ... 56 common frames omitted

We have a new error;

2023-11-22 11:03:32,383 [application-akka.actor.default-dispatcher-11] DEBUG o.p.o.c.a.OidcAuthenticator - Token response: status=400, content={"error":"invalid_request","error_description":"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Trace ID: 604f5fcb-5816-4015-bee1-248b03e08f00 Correlation ID: c637af32-341d-43af-997e-d791167fd464 Timestamp: 2023-11-22 11:03:32Z","error_codes":[50146],"timestamp":"2023-11-22 11:03:32Z","trace_id":"604f5fcb-5816-4015-bee1-248b03e08f00","correlation_id":"c637af32-341d-43af-997e-d791167fd464","error_uri":"<https://login.microsoftonline.com/error?code=50146>","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"bc624a2e-14a7-4522-b6fd-9b276518e256\"]}}}"}

Is this a problem in datahub or the azure sso app?

<@U03MF8MU5P0> could you look into this? Thanks!

I’m afraid I don’t have access to the infrastructure necessary to debug your issue. The only source of information that I have is what is located in the documentation https://datahubproject.io/docs/authentication/guides/sso/configure-oidc-react-azure|here.

It might be useful to compare the settings in the documentation vs your environment.

Circling back to this, we figured out the part that was missing was enabling the acceptMappedClaims in the Azure setup.
https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#update-the-application-manifest
Authentication is now working as intended for us :slightly_smiling_face: