headscale-webui icon indicating copy to clipboard operation
headscale-webui copied to clipboard
verified publisher icon iFargle

OIDC Azure AD - 401 Not Authorized

Open MrTinnysis opened this issue 2 years ago • 7 comments

Thanks for your aproach on a ui for headscale.

I tried to setup oidc with azure ad (like in the headscale oidc example). after the login callback i get "401 Not Authorized" and in the log is only "Token issued in the past". Do i need to whitelist the users somewhere?

MrTinnysis avatar Apr 05 '23 07:04 MrTinnysis

Sadly I have no experience with Azure AD. Are you getting the error in headscale-webui or in Azure? Can you post some logs from headscale-webui?(in DEBUG mode it dumps secrets so be sure to either wipe those or use new ones after)

iFargle avatar Apr 05 '23 08:04 iFargle

Also post your docker-compose.yml

iFargle avatar Apr 05 '23 08:04 iFargle

I get the error from the /oidc_callback in headscale-webui - after the redirect from azure ad. docker-compose.yaml:

version: '3'

services:
  headscale:
    container_name: headscale
    image: headscale/headscale
    restart: always
    environment:
      - LETSENCRYPT_HOST=<wiped host.domain.tdl>
      - VIRTUAL_HOST=<wiped host.domain.tdl>
      - VIRTUAL_PORT=8080
      - VIRTUAL_PATH=/
    volumes:
      - ./config:/etc/headscale
      - ./data:/var/lib/headscale
    entrypoint: headscale serve

  headscale-webui:
    container_name: headscale-webui
    image: ghcr.io/ifargle/headscale-webui
    environment:
      - LETSENCRYPT_HOST=<wiped host.domain.tdl>
      - VIRTUAL_HOST=<wiped host.domain.tdl>
      - VIRTUAL_PATH=/admin
      - VIRTUAL_PORT=5000
      - TZ=Europe/Zurich
      - HS_SERVER=https://<wiped host.domain.tdl>
      - DOMAIN_NAME=https://<wiped host.domain.tdl>
      - SCRIPT_NAME=/admin
      - KEY=<wiped key>
      - AUTH_TYPE=oidc
      - OIDC_AUTH_URL=https://login.microsoftonline.com/<wiped azure tenant id>/v2.0/.well-known/openid-configuration
      - OIDC_CLIENT_ID=<wiped client id>
      - OIDC_CLIENT_SECRET=<wiped secret>
      - LOG_LEVEL=Debug
    volumes:
      - ./webui:/data
      - ./config:/etc/headscale:ro

logs:

[2023-04-05 10:11:35 +0200] [1] [INFO] Starting gunicorn 20.1.0
[2023-04-05 10:11:35 +0200] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
[2023-04-05 10:11:35 +0200] [1] [INFO] Using worker: sync
[2023-04-05 10:11:35 +0200] [7] [INFO] Booting worker with pid: 7
[2023-04-05 10:11:36,131] INFO in server: Headscale-WebUI Version:  v0.6.1 / main
[2023-04-05 10:11:36,132] INFO in server: LOG LEVEL SET TO DEBUG
[2023-04-05 10:11:36,132] INFO in server: DEBUG STATE:  True
[2023-04-05 10:11:36,132] INFO in server: Loading OIDC libraries and configuring app...
[2023-04-05 10:11:36,304] DEBUG in server: JSON Dumps for OIDC_INFO:  {"token_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/token", "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt", "client_secret_basic"], "jwks_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/discovery/v2.0/keys", "response_modes_supported": ["query", "fragment", "form_post"], "subject_types_supported": ["pairwise"], "id_token_signing_alg_values_supported": ["RS256"], "response_types_supported": ["code", "id_token", "code id_token", "id_token token"], "scopes_supported": ["openid", "profile", "email", "offline_access"], "issuer": "https://login.microsoftonline.com/<wiped azure tenant id>/v2.0", "request_uri_parameter_supported": false, "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo", "authorization_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/authorize", "device_authorization_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/devicecode", "http_logout_supported": true, "frontchannel_logout_supported": true, "end_session_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/logout", "claims_supported": ["sub", "iss", "cloud_instance_name", "cloud_instance_host_name", "cloud_graph_host_name", "msgraph_host", "aud", "exp", "iat", "auth_time", "acr", "nonce", "preferred_username", "name", "tid", "ver", "at_hash", "c_hash", "email"], "kerberos_endpoint": "https://login.microsoftonline.com/<wiped azure tenant id>/kerberos", "tenant_region_scope": "EU", "cloud_instance_name": "microsoftonline.com", "cloud_graph_host_name": "graph.windows.net", "msgraph_host": "graph.microsoft.com", "rbac_url": "https://pas.windows.net"}
[2023-04-05 10:11:36,305] DEBUG in server: Client Secrets:
[2023-04-05 10:11:36,306] DEBUG in server: /app/instances/secrets.json:
[2023-04-05 10:11:36,306] DEBUG in server: {"web": {"issuer": "https://login.microsoftonline.com/<wiped azure tenant id>/v2.0", "auth_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/authorize", "client_id": "<wiped client id>", "client_secret": "<wiped secret>", "redirect_uris": ["https://<wiped host.domain.tdl>/admin/oidc_callback"], "userinfo_uri": "https://graph.microsoft.com/oidc/userinfo", "token_uri": "https://login.microsoftonline.com/<wiped azure tenant id>/oauth2/v2.0/token"}}
Token issued in the past

MrTinnysis avatar Apr 05 '23 08:04 MrTinnysis

https://github.com/puiterwijk/flask-oidc/blob/7f16e27b926fc12953d6b2ae78a9b9cc9b8d1769/flask_oidc/init.py#L646

Seems like it's caused by your time being out of sync. Is your server time in sync "enough" with Microsoft's?

iFargle avatar Apr 05 '23 09:04 iFargle

I guess so, the docker container runs on an azure vm and its time seams in sync. how ever the container time is timezoned... the time of the oidc endpoint can't be verified by me.

MrTinnysis avatar Apr 05 '23 13:04 MrTinnysis

There is a clock-skew config we can pass to the oidc library. I'll try that once the changes being worked on are settled.

iFargle avatar Apr 05 '23 23:04 iFargle

There is a clock-skew config we can pass to the oidc library. I'll try that once the changes being worked on are settled.

I did this and made you #112

MrTinnysis avatar Jun 30 '23 13:06 MrTinnysis