@Alexander Bokovoy
thanks, I already managed to get those oidc_child logs working, my bad was using command
journalctl --follow /usr/libexec/ipa/ipa-otpd instead of journalctl -u
'ipa-otpd@*'. First one does not show entries for oidc_child module.
However I still have an issue with making all in correct way. Right now in logs I see the
debug from oidc_child as follows:
---
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: oidc_child started.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Running with effective IDs:
[0][0].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Running with real IDs [0][0].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: POST data:
[client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&scope=openid%20email].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Trying
40.126.32.134:443...
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connected to
login.microsoftonline.com (40.126.32.134) port 443 (#0)
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers h2
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers http/1.1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CApath: none
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Server certificate:
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL certificate verify
ok.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: > POST
/tribecloud.io/oauth2/v2.0/devicecode HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Content-Length: 67
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < HTTP/1.1 200 OK
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Cache-Control:
no-store, no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Pragma: no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Expires: -1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < x-ms-request-id:
014b3632-ddc0-4839-9c72-0e2db29e5801
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < x-ms-ests-server:
2.1.14357.8 - WUS2 ProdSlices
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < X-XSS-Protection: 0
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
fpc=As0myY4HXlRGqToBI5iddslFIKkQAQAAAHgaW9sOAAAA; expires=Sat, 18-Feb-2023 11:03:21 GMT;
path=/; secure; HttpOnly; SameSite=None
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevr2WDnL_0XB-iwfnnong0trzC_uc3OCM3WPjG4ZFSjA9kHMyjRbq1j8NNF624I23jb-u_xnjvRjxWf_XBJAaNoAOomKrBE4WMayXpxS8c5_D5tnCwBFbiULEn4YmrEJZ0L0a8ZHk-BbJvvabchoBhXf6kZAicLv_9y0FfwXrYR__sgAA;
domain=.login.microsoftonline.c>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Date: Thu, 19 Jan
2023 11:03:20 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Content-Length: 473
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]:
{"user_code":"RN8FF7RAW","device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA","verification_uri":">
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Result does not contain the
'verification_uri_complete' string.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: user_code: [RN8FF7RAW].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: verification_uri:
[
https://microsoft.com/devicelogin].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: verification_uri_complete: [-].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: message: [To sign in, use a web
browser to open the page
https://microsoft.com/devicelogin and enter the code RN8FF7RAW to
authenticate.].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: device_code:
[RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: expires_in: [900].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: interval: [5].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYW>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Trying
20.190.160.17:443...
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connected to
login.microsoftonline.com (20.190.160.17) port 443 (#0)
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers h2
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers http/1.1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CApath: none
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Server certificate:
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL certificate verify
ok.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: > POST
/tribecloud.io/oauth2/v2.0/token HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Content-Length: 322
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < HTTP/1.1 400 Bad
Request
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Cache-Control:
no-store, no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Pragma: no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Expires: -1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < x-ms-request-id:
c5c67625-69b8-4630-b214-c3f13a92ea01
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < x-ms-ests-server:
2.1.14357.8 - WUS2 ProdSlices
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < X-XSS-Protection: 0
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
fpc=AlWBH3O1bZdElx1faSMFzDo; expires=Sat, 18-Feb-2023 11:03:21 GMT; path=/; secure;
HttpOnly; SameSite=None
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Date: Thu, 19 Jan
2023 11:03:21 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Content-Length: 510
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]:
{"error":"authorization_pending","error_description":"AADSTS70016:
OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID:
c5c67625-69b8-4630-b214-c3f13a92ea01\r\nCorrelation ID:
dd042106-e670-49b0-8ea2-a625faf3e5e9\r\nTimestamp: 2023-01-1>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: oidc_child finished successful!
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1(a)IPADEMO.LOCAL: Received:
[{"device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA","expires_i>
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: oauth2
{"verification_uri": "https://microsoft.com/devicelogin",
"user_code": "RN8FF7RAW"}
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: ]
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: oauth2.c:088: Child finished with
status [0].
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1(a)IPADEMO.LOCAL: sent: 0
data: 371
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1(a)IPADEMO.LOCAL: ..sent: 371
data: 371
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1(a)IPADEMO.LOCAL: response
sent: Access-Challenge
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: Socket closed, shutting down...
Jan 19 12:03:21 server.ipademo.local systemd[1]: ipa-otpd(a)15-9208-0.service: Deactivated
successfully.
---
about my Azure AD app - the OAuth endpoint is public. I've tried also to the request
and do the same flow via postman and I got an answer together with token:
i'm just sending POST
on
https://login.microsoftonline.com/tribecloud.io/oauth2/v2.0/devicecode
with parameters like client_id and scope (no secret key, as it is a public endpoint), then
I got response:
---
{
"user_code": "EQPA5W6ET",
"device_code":
"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr0elsjKu9xwm7ajAtm02ZjMk2iGKqXSCo6IUOZhvxhcbkdpvx743zNy6rJDoQpZUxwqoODVdbdqsfd_F_zg5lnwQ5Iub1eHrSyOpges6llmDXaTtDzVToHEsRPdSHN7L35SVTworyaAaESoj9DgL6NdFMewFgOSDO-ExewV-dGTYgAA",
"verification_uri": "https://microsoft.com/devicelogin",
"expires_in": 900,
"interval": 5,
"message": "To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code EQPA5W6ET to authenticate."
}
---
then im going on
https://microsoft.com/devicelogin and im succesfully
logging in azure, and then i'm doing another POST on
https://login.microsoftonline.com/tribecloud.io/oauth2/v2.0/token with
grant_type = urn:ietf:params:oauth:grant-type:device_code
client_id = <MY CLIENT ID>
device_code = the one from above
(EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr0elsjKu9xwm7ajAtm02ZjMk2iGKqXSCo6IUOZhvxhcbkdpvx743zNy6rJDoQpZUxwqoODVdbdqsfd_F_zg5lnwQ5Iub1eHrSyOpges6llmDXaTtDzVToHEsRPdSHN7L35SVTworyaAaESoj9DgL6NdFMewFgOSDO-ExewV-dGTYgAA)
and I get response:
---
{
"token_type": "Bearer",
"scope": "email openid profile",
"expires_in": 4701,
"ext_expires_in": 4701,
"access_token":
"eyJ0eXAiOiJKV1QiLCJub25jZSI6IjdOZUpOc2hnVW9EUG1JREwxbVZkUThQUUUxeHNWMnJrQmwyUEw3YmRoVWciLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI3NDEyLCJuYmYiOjE2NzQxMjc0MTIsImV4cCI6MTY3NDEzMjQxNCwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhUQUFBQWRsNzB4bWRUTGZZdE9mUjJIMnpxSjRMQzJNZmJGdGdGUFlGSVJkV0hDLzliVXJNcnlsTHJaY1M1Q2RsSG9IMzFub00veW56V0ZKMXVPa3FNWmJZeTFoaFhick9yYjYveHN5anlkN1ZTcjJnPSIsImFtciI6WyJwd2QiLCJtZmEiXSwiYXBwX2Rpc3BsYXluYW1lIjoiZnJlZS1pcGEiLCJhcHBpZCI6ImNiYzBiY2RlLTNlNTUtNGIxMi05OTE2LWJkZGEwYjcwNjk1MyIsImFwcGlkYWNyIjoiMCIsImZhbWlseV9uYW1lIjoiWmF3a28iLCJnaXZlbl9uYW1lIjoiU2ViYXN0aWFuIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiODkuNjQuNzkuNDgiLCJuYW1lIjoiU2ViYXN0aWFuIFphd2tvIiwib2lkIjoiZGYxZTBmNTItMmU2Yi00OTY0LWEzNTktZjY1MDUwMGI4MjJi
IiwicGxhdGYiOiIxNCIsInB1aWQiOiIxMDAzMjAwMDkzMkRBRDkyIiwicmgiOiIwLkFUVUFpYUlRQUhIUFBrdXVVbC1aZVBCVU9RTUFBQUFBQUFBQXdBQUFBQUFBQUFBMUFEQS4iLCJzY3AiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6InNSdlc1cEpXUmVkeE0zdEVnT0FvN3RPSDhMU0c2QXdfSWJEWDkxLW83ZGsiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiIwMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkiLCJ1bmlxdWVfbmFtZSI6InNlYmFzdGlhbkB0cmliZWNsb3VkLmlvIiwidXBuIjoic2ViYXN0aWFuQHRyaWJlY2xvdWQuaW8iLCJ1dGkiOiJwVzYwWkNnXzNrNjV3aFc5WElrU0FRIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiLCJmZGQ3YTc1MS1iNjBiLTQ0NGEtOTg0Yy0wMjY1MmZlOGZhMWMiLCJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3N0Ijp7InN1YiI6IktNTzZsM0MwRjM5ZTJaTzI4QmNHbzdBcXgza1QxSkNyRHdoMjg3bVhXcVUifSwieG1zX3RjZHQiOjE1NzcxMTYzNjZ9.V5sg2mQPZb9YYdTKv1TqmoGXZdHGdAfMnlVoXoJ7Cd2jgEpoZpHlpcAuW-1tYy0SbOWe1kS9y3n-OjwQS7ex19cLvffOVKx9WARrvsQuRjtAHLJWZQnoXgk_ql4ezLzWeiMJvhihobq00mq5cS5-N4wX0VRp4bDWy1niWA8Oeehg1b7Xqs8aOoqjQ0UD
1UfabJFhC1d663mQY8gutKuHcHr4zL1plhEoUwbl7KYZ6z9a71SBy7c0XYFEtWdPJfSxeeOJUd2uTILOCLm6NHKniLkEFUf9rARwOe9BUETpRQ9AacfXVBEjkMjT4alSuzCROVjU90pXbLAJEM3AxffzTQ",
"id_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJjYmMwYmNkZS0zZTU1LTRiMTItOTkxNi1iZGRhMGI3MDY5NTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMDAxMGEyODktY2Y3MS00YjNlLWFlNTItNWY5OTc4ZjA1NDM5L3YyLjAiLCJpYXQiOjE2NzQxMjc0MTIsIm5iZiI6MTY3NDEyNzQxMiwiZXhwIjoxNjc0MTMxMzEyLCJhaW8iOiJBV1FBbS84VEFBQUFwd2d1R2laU2xJbURsS0dXNUsxa1VmdFFFaUNQT0o1RU1HVnFyUUZ1c2xaOVpXbzNGL1FEbUNiTVpKaGc5a3prbVJYNklqUUp0dGY2d1BaeS81ZlI5VnB5dEtEQ1pQQmY0NmFEVlhSVk02ZnVJS3c1U0JQRG9wb1JNcUkxZFZrUiIsInJoIjoiMC5BVFVBaWFJUUFISFBQa3V1VWwtWmVQQlVPZDY4d010VlBoSkxtUmE5Mmd0d2FWTTFBREEuIiwic3ViIjoiS01PNmwzQzBGMzllMlpPMjhCY0dvN0FxeDNrVDFKQ3JEd2gyODdtWFdxVSIsInRpZCI6IjAwMTBhMjg5LWNmNzEtNGIzZS1hZTUyLTVmOTk3OGYwNTQzOSIsInV0aSI6InBXNjBaQ2dfM2s2NXdoVzlYSWtTQVEiLCJ2ZXIiOiIyLjAifQ.Ax-s9Szowwkn6D_Wg-ornGwJsWj2tif5DwK0SIC77g7dke2OW46czhdnvu5z6ThU8A78usbfwPYl00LUZhO9VFubMCNZWkYsMgKdgBleXWNYRXuO00AzQE7dhyzLfcanlyhNELlzMtKw62aCzN5mMR2hDhbGTK4poNS2vYvBfJXL2to3uHvEDG4L7
eaezj6JgqsaJk-ua1RqxDdQNZOSPVHYVUC6wMJSx24ycipcN4WfRCv7kteJhzbri9IAno8uVVIJmLMOBjnv3rj9YIbkb8z7XUfyYk_GyCozDR1CxWzm6whPV1RsiQtGMkmtRVZP40ZrwmyE4qTON7OR_ZgkZQ"
}
---
So i'm pretty sure that the OAuth2.0 endpoint is working and issue
exist on the freeipa server rather than in Azure AD config.
form the logs I see that this oidc_child is doing very similar:
---
POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYW
---
but in response I see:
---
libcurl: < HTTP/1.1 400 Bad Request
---
and eventually
---
{"error":"authorization_pending","error_description":"AADSTS70016:
OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID:
c5c67625-69b8-4630-b214-c3f13a92ea01\r\nCorrelation ID:
dd042106-e670-49b0-8ea2-a625faf3e5e9\r\nTimestamp: 2023-01-19
11:03:21Z","error_codes":[70016],"timestamp":"2023-01-19
11:03:21Z","trace_id":"c5c67625-69b8-4630-b214-c3f13a92ea01","correlation_id":"dd042106-e670>
---
so it looks like oidc is doing similar request like me via postman but
for some reason the response is 400 instead of token.
There is no real problem in the logs you show above. It is a normal
behaivor in that OAuth 2.0 server expects us to try times until the
authorization by the user is done.
"Continue polling" is fine -- we just will continue checking three times
with 5 second timeout each, e.g. 15 seconds.
Are you getting the authorization completed in that time?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland