4.2.14 Azure/Entra OIDC authentication issue

nick438 · March 27, 2024, 1:44pm

Updated from 4.2.12 to 4.2.14, forms auth works fine. Apps startup fine and can get to them using forms auth. Attempting to authenticate to them using OIDC results in the following errors.

2024-03-27 08:03:28.082 -05:00 [ERR] Connection id "0HN2EBKSO5243", Request id "0HN2EBKSO5243:00000002": An unhandled exception was thrown by the application.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration'. Will retry at '3/27/2024 1:03:35 PM +00:00'. Exception: 'System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration'.
 ---> System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing.
 ---> System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.HttpConnectionWaiter`1.WaitForConnectionAsync(Boolean async, CancellationToken requestCancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpClient.HandleFailure(Exception e, Boolean telemetryStarted, HttpResponseMessage response, CancellationTokenSource cts, CancellationToken cancellationToken, CancellationTokenSource pendingRequestsCts)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.SendAsyncAndRetryOnNetworkError(HttpClient httpClient, Uri uri)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration'.
 ---> System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing.
 ---> System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.HttpConnectionWaiter`1.WaitForConnectionAsync(Boolean async, CancellationToken requestCancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpClient.HandleFailure(Exception e, Boolean telemetryStarted, HttpResponseMessage response, CancellationTokenSource cts, CancellationToken cancellationToken, CancellationTokenSource pendingRequestsCts)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.SendAsyncAndRetryOnNetworkError(HttpClient httpClient, Uri uri)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
   at Universal.Server.UniversalDashboardStartup.<>c.<<Configure>b__5_0>d.MoveNext() in C:\actions-runner\_work\universal\universal\src\Universal.Server\UniversalDashboardStartup.cs:line 122
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

I uninstalled 4.2.14 and reinstalled 4.2.12 and the everything works correctly, can authenticate as expected with OIDC. Was there some change or something else in 4.2.14 is causing this?

Product: PowerShell Universal
Version: 4.2.12

Jesse.Peden · March 27, 2024, 9:30pm

nick438:

 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration'.
 ---> System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing.
 ---> System.TimeoutException: A task was canceled.
 ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.

Just to ask, did you try 4.2.13 to see if that has the same issue? We were using AzureAD as well, with 4.2.12 and 4.2.13 without any issues, and it’s still working fine with 4.2.14 for us. Looking at your output, it looks like a failure to download a file. Have you tried entering that URL into a browser on your PSU server after updating to 4.2.14 to see if it’s isolated to just PSU or if something else exhibits the same issue post-upgrade?

nick438 · March 28, 2024, 11:42am

Blockquote

I just updated it to 4.2.13. It doesn’t have the same issue. 4.2.14 only seems to cause the issue. The URL works in a browser under both my account and the service account. I at first thought it was maybe some issue with the service account and the proxy setup but I verified it’s working. It seems to be just isolated to PSU.

Jesse.Peden · March 28, 2024, 12:15pm

Now that you’re on 4.2.13, I would try re-updating to 4.2.14 (if you didn’t already) to see if there’s potentially just an issue with jumping from 4.2.12 directly to 4.2.14. Sometimes upgrades need to be done in steps, so it’s worth testing it out to at least check it off the list.

nick438 · March 28, 2024, 1:12pm

Blockquote

I just gave that a try. That worked. I’m now not getting the error. I wouldn’t think that it’s that big of a jump but looks like going to 4.2.13 first is probably what I’ll need to do (I have other servers on 4.2.12).

Jesse.Peden · March 28, 2024, 1:24pm

Great. Glad that resolved your issue.

Topic		Replies	Views
Random errors during OIDC signin PowerShell Universal	0	123	March 4, 2024
Azure AD OIDC - Resource identifier is not provided PowerShell Universal	3	716	November 3, 2021
OIDC redirect loop PowerShell Universal	3	387	October 14, 2022
Unauthorized Access Page PowerShell Universal	2	320	October 29, 2021
500 Error using OpenID/Azure AD PowerShell Universal	1	567	September 13, 2021

4.2.14 Azure/Entra OIDC authentication issue

Related Topics