warpgate icon indicating copy to clipboard operation
warpgate copied to clipboard
verified publisher icon warp-tech

Unable to use the role_mappings feature with Microsoft Entra and custom sso provider

Open adrienbroyere opened this issue 5 months ago • 1 comments

Hey !

I've successfully setup the custom sso_providers with my Microsoft Entra application, however, I am unable to do the proper link between my groups and the warpgate roles.

I've read the Warpgate documentation and configured a custom claim on my Entra application named warpgate_roles into which I have put the desired Entra groups.

Below is my configuration:

sso_providers:
- name: Sign in with Azure
  auto_create_users: true
  provider:
    type: custom
    client_id: "xxx"
    client_secret: "yyy"
    issuer_url: "zzz"
    scopes: ["openid", "email", "profile", "api://xxx/warpgate"]
    role_mappings:
      "uuid": 'my_warpgate_role'

At first, Entra return the propre custom claim in the OIDC ID token but I noticed that it didn't worked out of the box in Warpgate. I have tried to add the warpgate_roles claim in the OIDC access token, do to so, Microsoft Entra requires to do some extra configuration and add a custom scope into the configuration (hence the api:// scope above): documentation.

I am able to authenticate to warpgate and my user is created but my user is not part of the role I configured. This is what I can see in the Warpgate logs:

07.07.2025 14:00:40 ERROR HTTP: warpgate_sso::sso: Failed to fetch userinfo: Response(401, [123, 34, 101, 114, 114, 111, 114, 34, 58, 123, 34, 99, 111, 100, 101, 34, 58, 34, 73, 110, 118, 97, 108, 105, 100, 65, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 105, 111, 110, 84, 111, 107, 101, 110, 34, 44, 34, 109, 101, 115, 115, 97, 103, 101, 34, 58, 34, 65, 99, 99, 101, 115, 115, 32, 116, 111, 107, 101, 110, 32, 118, 97, 108, 105, 100, 97, 116, 105, 111, 110, 32, 102, 97, 105, 108, 117, 114, 101, 46, 32, 73, 110, 118, 97, 108, 105, 100, 32, 97, 117, 100, 105, 101, 110, 99, 101, 46, 34, 44, 34, 105, 110, 110, 101, 114, 69, 114, 114, 111, 114, 34, 58, 123, 34, 100, 97, 116, 101, 34, 58, 34, 50, 48, 50, 53, 45, 48, 55, 45, 48, 55, 84, 49, 52, 58, 48, 48, 58, 52, 48, 34, 44, 34, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 44, 34, 99, 108, 105, 101, 110, 116, 45, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 125, 125, 125], "unexpected HTTP status code")
07.07.2025 14:00:40 DEBUG HTTP: warpgate_sso::request: OIDC claims: IdTokenClaims { issuer: IssuerUrl("https://login.microsoftonline.com/xxx/v2.0"), audiences: [Audience("xxx")], expiration: 2025-07-07T15:00:39Z, issue_time: 2025-07-07T13:55:39Z, auth_time: None, nonce: Some(Nonce([redacted])), auth_context_ref: None, auth_method_refs: None, authorized_party: None, access_token_hash: None, code_hash: None, standard_claims: StandardClaims { sub: SubjectIdentifier("xxx"), name: Some(LocalizedClaim({}, Some(EndUserName("xxx")))), given_name: None, family_name: None, middle_name: None, nickname: None, preferred_username: Some(EndUserUsername("xxx")), profile: None, picture: None, website: None, email: Some(EndUserEmail("xxx")), email_verified: None, gender: None, birthday: None, birthdate: None, zoneinfo: None, locale: None, phone_number: None, phone_number_verified: None, address: None, updated_at: None }, additional_claims: EmptyAdditionalClaims }
07.07.2025 14:00:40 DEBUG HTTP: warpgate_sso::request: OIDC userinfo claims: None

In the Microsoft Entra sign-in logs, I can see that the login is a success

Double checked the uuid of the Entra group and the role name I created in Warpgate, both are existing. Running the OIDC query inside https://oidcdebugger.com works and return the expected custom claim, for expl:

Access token:

{
   "aud": "xxx",
   "iss": "xx",
   "iat": xxx,
   "nbf": xxx,
   "exp": xxx,
   "aio": "xxx",
   "azp": "xxx",
   "azpacr": "xxx",
   "name": "xxx",
   "oid": "xxx",
   "preferred_username": "yx@z",
   "rh": "xxx",
   "scp": "xxx",
   "sid": "xxx",
   "sub": "xxx",
   "tid": "xxx",
   "uti": "xxx",
   "ver": "2.0",
   "wids": [
      "xxx"
   ],
   "xms_ftd": "xxx",
   "warpgate_roles": [
      "UUID_1",
      "UUID_2",
      [...]
   ]
}

ID Token:

{
   "aud": "xxx",
   "iss": "xxx",
   "iat": xxx,
   "nbf": xxx,
   "exp": xxx,
   "aio": "xxx",
   "at_hash": "xxx",
   "email": "xxx",
   "name": "xxx",
   "nonce": "xxx",
   "oid": "xxx",
   "preferred_username": "yx@z",
   "rh": "xxx",
   "sid": "xxx",
   "sub": "xxx",
   "tid": "xxx",
   "uti": "xxx",
   "ver": "2.0",
   "wids": [
      "xxx"
   ],
   "warpgate_roles": [
      "UUID_1",
      "UUID_2",
      [...]
   ]
}

I am at loss as to where might be the issue here, any help would be greatly appreciated.

PS: Warpgate version used v0.15.0

adrienbroyere avatar Jul 07 '25 14:07 adrienbroyere

Hello,

I have been trying to do the same as you, except that I think I went one step further in understanding the issue here with Azure. This line of your log:

07.07.2025 14:00:40 ERROR HTTP: warpgate_sso::sso: Failed to fetch userinfo: Response(401, [123, 34, 101, 114, 114, 111, 114, 34, 58, 123, 34, 99, 111, 100, 101, 34, 58, 34, 73, 110, 118, 97, 108, 105, 100, 65, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 105, 111, 110, 84, 111, 107, 101, 110, 34, 44, 34, 109, 101, 115, 115, 97, 103, 101, 34, 58, 34, 65, 99, 99, 101, 115, 115, 32, 116, 111, 107, 101, 110, 32, 118, 97, 108, 105, 100, 97, 116, 105, 111, 110, 32, 102, 97, 105, 108, 117, 114, 101, 46, 32, 73, 110, 118, 97, 108, 105, 100, 32, 97, 117, 100, 105, 101, 110, 99, 101, 46, 34, 44, 34, 105, 110, 110, 101, 114, 69, 114, 114, 111, 114, 34, 58, 123, 34, 100, 97, 116, 101, 34, 58, 34, 50, 48, 50, 53, 45, 48, 55, 45, 48, 55, 84, 49, 52, 58, 48, 48, 58, 52, 48, 34, 44, 34, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 44, 34, 99, 108, 105, 101, 110, 116, 45, 114, 101, 113, 117, 101, 115, 116, 45, 105, 100, 34, 58, 34, 51, 48, 57, 98, 100, 99, 50, 53, 45, 56, 54, 48, 101, 45, 52, 49, 57, 50, 45, 56, 100, 56, 57, 45, 97, 101, 101, 54, 100, 98, 98, 49, 51, 97, 97, 57, 34, 125, 125, 125], "unexpected HTTP status code")

Actually give the answer, this array is a byte array representation of the actual error... Using this website https://www.javainuse.com/onlinebytes (as I was too lazy to make a quick app), replacing all the ', ' by ',' I get this from your log line (I had the exact same issue on my side, just the id that were different):

{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2025-07-07T14:00:40","request-id":"309bdc25-860e-4192-8d89-aee6dbb13aa9","client-request-id":"309bdc25-860e-4192-8d89-aee6dbb13aa9"}}}

Unsure on how to actually fix this, but so you at least know why it's not working..

Lebvanih avatar Sep 17 '25 09:09 Lebvanih