@Alex, I already solved an issue. Everything is OK with freeipa, problem was in Azure and
my user. I discovered that I didn't provide you a full logtrace, look:
---
Jan 19 12:43:54 server.ipademo.local systemd[1]: Started ipa-otpd(a)20-9209-0.service -
ipa-otpd service (PID 9209/UID 0).
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: LDAP:
ldapi://%2Frun%2Fslapd-IPADEMO-LOCAL.socket
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: request
received
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: user query
start
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: user query
end: uid=testuser1,cn=users,cn=accounts,dc=ipademo,dc=local
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: idp query
start: cn=ad,cn=idp,dc=ipademo,dc=local
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: idp query
end: ad
Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: oauth2
start: Get access token
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: oidc_child started.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Running with effective IDs:
[0][0].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Running with real IDs [0][0].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: JSON device code:
[{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA","expires_in":900,"interval":5}].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the
'user_code' string.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the
'verification_uri' string.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the
'verification_url' string.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the
'verification_uri_complete' string.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the
'message' string.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: device_code:
[FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: expires_in: [900].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: interval: [5].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA].
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Trying
20.190.151.134:443...
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connected to
login.microsoftonline.com (20.190.151.134) port 443 (#0)
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate:
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify
ok.
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: > POST
/XXXXX.io/oauth2/v2.0/token HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Content-Length: 322
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Cache-Control:
no-store, no-cache
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Pragma: no-cache
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Expires: -1
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-request-id:
3066bf60-3735-4944-b6d9-2358a30fd200
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ests-server:
2.1.14357.8 - EUS ProdSlices
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < X-XSS-Protection: 0
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
fpc=Am0BIXEAbqpOvjxw0yOzSA8uBob9AQAAAPojW9sOAAAA; expires=Sat, 18-Feb-2023 11:43:54 GMT;
path=/; secure; HttpOnly; SameSite=None
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan
2023 11:43:54 GMT
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Content-Length:
3394
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: <
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]:
{"token_type":"Bearer","scope":"email openid
profile","expires_in":3788,"ext_expires_in":3788,"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wM>
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: access_token:
[eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI4MzM0LCJuYmYiOjE2NzQxMjgzMzQs>
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: id_token:
[eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJjYmMwYmNkZS0zZTU1LTRiMTItOTkxNi1iZGRhMGI3MDY5NTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMDAxMGEyODktY2Y3MS00YjNlLWFlNTItNWY5OTc4ZjA1NDM5L3YyLjAiLCJpYXQiOjE2NzQxMjgzMzQsIm5iZiI6MTY3NDEyODMzNCwiZXhwIjoxNjc0MTMyMjM0LCJhaW8iOiJBV1FBbS84VEFBQUE5YlJhcThUY1JON0hjNXdCRThKUG02eHZ4TGJxai9KcWF6UVVVbzJtTnVM>
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Trying
20.190.151.7:443...
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connected to
login.microsoftonline.com (20.190.151.7) port 443 (#0)
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate:
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify
ok.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: > GET
/common/discovery/v2.0/keys HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Cache-Control:
max-age=86400, private
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Access-Control-Allow-Origin: *
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Access-Control-Allow-Methods: GET, OPTIONS
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-request-id:
1b6d0b1b-3ec5-4d5b-ace6-3fb5fb490a01
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ests-server:
2.1.14357.8 - NCUS ProdSlices
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < X-XSS-Protection: 0
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
fpc=Arysj0mnaIxNmRexcn_Agxk; expires=Sat, 18-Feb-2023 11:43:55 GMT; path=/; secure;
HttpOnly; SameSite=None
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevr2Ih4HkrILZKdufDCKOMkFqEL0ipHQO_KJOjytL4Bekhn2JvMua7p3etqUulUwiz0nwPNeEPX-Urk7xBfrp7vgRUg6D4k_ngUwN7Is2WLeh8APXj3VzEtzqEDj2WDMHnmnhebwpt8jfKon5jHazAfLOqTnP4xkB_20xRxEPwv3Y8gAA;
domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan
2023 11:43:55 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Length:
15922
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]:
{"keys":[{"kty":"RSA","use":"sig","kid":"nOo3ZDrODXEK1jKWhXslHR_KXEg","x5t":"nOo3ZDrODXEK1jKWhXslHR_KXEg","n":"oaLLT9hkcSj2tGfZsjbu7Xz1Krs0qEicXPmEsJKOBQHauZ_kRM1HdEkgOJbUznUspE6xOuOSXjlzErqBxXAu4SCvcvVOCYG2v9G3-uIrLF5dstD0sYHBo1VomtKxzF90Vslrkn6rNQgUGIWgvuQTxm1uRklYFPEcTIRw0LnYknzJ06GC9ljKR617wABVrZNkBuDgQKj37qcyxoaxIGdxEcmVFZXJyrxDgdXh9owRmZn6LIJlGjZ9m59emfuwnBnsIQG7DirJwe9SXrLXnexRQWqyzCdkYaOqkpKrsjuxUj2-MHX31Fqsd>
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]:
ETnF8TctGU87R4N9YxmNWoIwWQYDVR0jBFIwUIAU57BsETnF8TctGU87R4N9YxmNWoKhLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAN2X7t+ckntxMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAcsk+LGlTzSQdnh3mtCBMNCGZCiTYvFcqenwjDf1/c4U+Yi7fxYmAXm7wVLX+GVMxpLPpzMuVOXztGoPMUgWH59CFWhsMvZbIUKsd8xbEKmls1ZIgxRYdagcWTGeBET6XIoF6Ba57BhRCxFPslhIpg27/HnfHtTdGfjRpafNbBYvC/9PL/s2E9U4AklpUn2W19UiJLRFgXGPjYPLW0j1Od0qzHHJ84saclVwvuOrp>
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to verify access_token.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Trying
20.190.130.40:443...
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connected to
graph.microsoft.com (20.190.130.40) port 443 (#0)
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Encrypted Extensions (8):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Certificate (11):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, CERT verify (15):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Finished (20):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using
TLSv1.3 / TLS_AES_256_GCM_SHA384
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate:
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US; ST=WA;
L=Redmond; O=Microsoft Corporation;
CN=graph.microsoft.com
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * start date: Jul 11
21:23:10 2022 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Jul 6
21:23:10 2023 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host
"graph.microsoft.com" matched cert's "graph.microsoft.com"
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US;
O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 02
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify
ok.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server auth using
Bearer with user ''
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: > GET /oidc/userinfo
HTTP/1.1
Host:
graph.microsoft.com
Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI4MzM0LCJuYmYiOjE2NzQxM>
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS
handshake, Newsession Ticket (4):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Transfer-Encoding:
chunked
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type:
application/json
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Strict-Transport-Security: max-age=31536000
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < request-id:
46f7c178-9ffa-4001-acfc-3fa517ada9c7
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < client-request-id:
46f7c178-9ffa-4001-acfc-3fa517ada9c7
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ags-diagnostic:
{"ServerInfo":{"DataCenter":"East
US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL4PEPF000001C9"}}
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan
2023 11:43:55 GMT
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: <
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]:
{"sub":"KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU","name":"Sebastian
XXXXX","family_name":"XXXXX","given_name&qu...
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host
graph.microsoft.com left intact
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: access_token payload:
[{"aud": "00000003-0000-0000-c000-000000000000", "iss":
"https://sts.windows.net/0010a289-cf71-4b3e-ae52-5f9978f05439/",
"iat": 1674128334, "nbf": 1674128334, "exp": 1674132423,
"acct": 0, "acr": "1", "aio":
"AVQAq/8TAAAApKIln8F3TeHUUgda0lh8tzLnmU23I1JnsqsyaZVgaIReMccUUvk2TAxBWyqmQuh9vmngby/bH1cMvJdkO82C9eU7P309iW4U3sApKNrYMtk=",
"amr": ["pwd", "mfa"], "app_displayname":
"free-ipa", "appid": "cb>
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User Principal:
[sebastian(a)XXXXX.io].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User oid:
[df1e0f52-2e6b-4964-a359-f650500b822b].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User sub:
[sRvW5pJWRedxM3tEgOAo7tOH8LSG6Aw_IbDX91-o7dk].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: id_token payload:
[{"aud": "cbc0bcde-3e55-4b12-9916-bdda0b706953", "iss":
"https://login.microsoftonline.com/0010a289-cf71-4b3e-ae52-5f9978f05439/v2.0",
"iat": 1674128334, "nbf": 1674128334, "exp": 1674132234,
"aio":
"AWQAm/8TAAAA9bRaq8TcRN7Hc5wBE8JPm6xvxLbqj/JqazQUUo2mNuL1c6x6f0X9+ZUTokEVfNVDnnoPEt77phP2A3WQRrEU0/Qe256Heht98S4Qa1e61elB65DAstw9a14fycDGtwFV",
"rh": "0.ATUAiaIQAHHPPkuuUl-ZePBUOd68wMtVPhJLmRa92gtwaVM1AD>
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User Principal: [(null)].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User oid: [(null)].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User sub:
[KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: userinfo: [{"sub":
"KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU", "name": "Sebastian
XXXXX", "family_name": "XXXXX", "given_name":
"Sebastian", "picture":
"https://graph.microsoft.com/v1.0/me/photo/$value"}].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to read attribute [email]
from userinfo data.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: No attribute to identify the user
found.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to get user identifier.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: oidc_child failed!
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: Received:
[]
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: Failed to
check access token reply.
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: oauth2.c:088: Child finished with
status [1].
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: sent: 0
data: 20
Jan 19 12:43:55 server.ipademo.local systemd[1]:
/usr/lib/systemd/system/ipa-otpd@.service:10: Standard output type syslog is obsolete,
automatically updating to journal. Please update your unit file, and consider removing the
setting altogether.
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: ..sent: 20
data: 20
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: testuser1(a)IPADEMO.LOCAL: response
sent: Access-Reject
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: Socket closed, shutting down...
Jan 19 12:43:55 server.ipademo.local systemd[1]: Started ipa-otpd(a)21-9209-0.service -
ipa-otpd service (PID 9209/UID 0).
Jan 19 12:43:55 server.ipademo.local systemd[1]: ipa-otpd(a)20-9209-0.service: Deactivated
successfully.
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: LDAP:
ldapi://%2Frun%2Fslapd-IPADEMO-LOCAL.socket
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: request
received
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: user query
start
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: user query
end: uid=testuser1,cn=users,cn=accounts,dc=ipademo,dc=local
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: idp query
start: cn=ad,cn=idp,dc=ipademo,dc=local
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: idp query
end: ad
Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: oauth2
start: Get device code
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: oidc_child started.
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: Running with effective IDs:
[0][0].
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: Running with real IDs [0][0].
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: POST data:
[client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&scope=openid%20email].
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * Trying
20.190.151.67:443...
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * Connected to
login.microsoftonline.com (20.190.151.67) port 443 (#0)
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers h2
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers http/1.1
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * CApath: none
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Server certificate:
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL certificate verify
ok.
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: > POST
/XXXXX.io/oauth2/v2.0/devicecode HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Content-Length: 67
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < HTTP/1.1 200 OK
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Cache-Control:
no-store, no-cache
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Pragma: no-cache
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Expires: -1
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-request-id:
87944eb0-53d5-43ad-a0c0-3141ba791801
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-ests-server:
2.1.14357.8 - WUS2 ProdSlices
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-XSS-Protection: 0
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
fpc=At8Y02i5S9hDrVIieqUMBAxFIKkQAQAAAPsjW9sOAAAA; expires=Sat, 18-Feb-2023 11:43:56 GMT;
path=/; secure; HttpOnly; SameSite=None
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevrq2TIFXGtf8VDx-wy3moL6Ds0P-yS0mbtrMDWTEdSXpnUcHMKHcX0fS3ruZ6ZbExpDfasPDY2GTEYOvAElE4MTSZ36WJskz4Q_1PPWw7nl6F2TTBgk_GCf_Wl_5B7FFrekNeGF0pLat2Fb_ZUXVFDuEFHlw4-DanomQcHmzm25P0gAA;
domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Date: Thu, 19 Jan
2023 11:43:55 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Length: 473
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]:
{"user_code":"R33ETTH5G","device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA","verification_uri":"https://microsoft.com/devicelogin","expires_in":900,"interval":5,"message":"To
sign in, use a web browser to open the page
https://microsoft.com/device>
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: Result does not contain the
'verification_uri_complete' string.
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: user_code: [R33ETTH5G].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: verification_uri:
[
https://microsoft.com/devicelogin].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: verification_uri_complete: [-].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: message: [To sign in, use a web
browser to open the page
https://microsoft.com/devicelogin and enter the code R33ETTH5G to
authenticate.].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: device_code:
[RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: expires_in: [900].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: interval: [5].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA].
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Trying
20.190.151.9:443...
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connected to
login.microsoftonline.com (20.190.151.9) port 443 (#0)
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers h2
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers http/1.1
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * CApath: none
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.0 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (OUT), TLS
handshake, Client hello (1):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (IN), TLS
handshake, Server hello (2):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Certificate (11):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server key exchange (12):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Server finished (14):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
change cipher, Change cipher spec (1):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
handshake, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Certificate Status (22):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
handshake, Finished (20):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL connection using
TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: server did not
agree on a protocol. Uses default.
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Server certificate:
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subject: C=US;
ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * start date: Nov 23
00:00:00 2022 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * expire date: Nov 23
23:59:59 2023 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's
"login.microsoftonline.com"
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * issuer: C=US;
O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL certificate verify
ok.
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS
header, Supplemental data (23):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: > POST
/XXXXX.io/oauth2/v2.0/token HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD oidc_child/0.0
Accept: application/json
Content-Length: 322
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS
header, Supplemental data (23):
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Mark bundle as not
supporting multiuse
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < HTTP/1.1 400 Bad
Request
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Cache-Control:
no-store, no-cache
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Pragma: no-cache
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Type:
application/json; charset=utf-8
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Expires: -1
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < P3P: CP="DSP
CUR OTPi IND OTRi ONL FIN"
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-request-id:
a705ec7d-b8c2-4dd0-ab65-02aab5c03501
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-ests-server:
2.1.14357.8 - NCUS ProdSlices
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-XSS-Protection: 0
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
fpc=AnhC60lvKVNGu2tHSa_e-eI; expires=Sat, 18-Feb-2023 11:43:56 GMT; path=/; secure;
HttpOnly; SameSite=None
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Date: Thu, 19 Jan
2023 11:43:55 GMT
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Length: 510
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: <
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]:
{"error":"authorization_pending","error_description":"AADSTS70016:
OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID:
a705ec7d-b8c2-4dd0-ab65-02aab5c03501\r\nCorrelation ID:
c9302003-2381-4244-bf1c-57b8ca28c908\r\nTimestamp: 2023-01-19
11:43:56Z","error_codes":[70016],"timestamp":"2023-01-19
11:43:56Z","trace_id":"a705ec7d-b8c2-4dd0-ab65-02aab5c03501","correlation_id":"c9302003-2381>
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connection #0 to host
login.microsoftonline.com left intact
Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: oidc_child finished successful!
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: Received:
[{"device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA","expires_in":900,"interval":5}
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: oauth2
{"verification_uri": "https://microsoft.com/devicelogin",
"user_code": "R33ETTH5G"}
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: ]
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: oauth2.c:088: Child finished with
status [0].
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: sent: 0
data: 371
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: ..sent: 371
data: 371
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: testuser1(a)IPADEMO.LOCAL: response
sent: Access-Challenge
Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: Socket closed, shutting down...
Jan 19 12:43:56 server.ipademo.local systemd[1]: ipa-otpd(a)21-9209-0.service: Deactivated
successfully.
---
the important part is here:
---
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: userinfo: [{"sub":
"KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU", "name": "Sebastian
XXXXX", "family_name": "XXXXX", "given_name":
"Sebastian", "picture":
"https://graph.microsoft.com/v1.0/me/photo/$value"}].
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to read attribute [email]
from userinfo data.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: No attribute to identify the user
found.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to get user identifier.
Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: oidc_child failed!
----
as I discovered I didn't provide in my user email attribute in Azure AD, which seems
to be odd for me as it is not an required field,but once I provided it in Azure
eeverything started working again. So that very important step in whole process of
configuration.
I was confused by the oidc_behaviour which runs whole flow again with new Device code and
then gives us HTTP/1.1 400 Bad Request, I didn't check the prvious logs as I thought
that was the start of the request, then I look on timestamps and I realized there is much
more before this second attempt.
So it looks like flow was that
1 prompt with device ID
2. authorization with my azure ad account
3. get an error from azure as lack of email attribute in userinfo
4. another posts are made with diffrent device id which are not prompted in commandline
5 error 400 bad request from the 4 not from 3 step
Thank you all for your help. For now this case for me solved, right now I will get another
deep dive to configure other stuff.