OIDC - Broken with 5.0.0

Product: PowerShell Universal
Version: 5.0.0

OIDC authentication seems broken, I get the following message :

BlockquoteSystem.InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.ChallengeAsync(AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties) at Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context) at Universal.Server.Middleware.RoutingMiddleware.Invoke(HttpContext httpContext, IPolicyEvaluator policyEvaluator) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\RoutingMiddleware.cs:line 175 at PowerShellUniversal.PSUMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\PowerShellMiddleware.cs:line 43 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext() --- End of stack trace from previous location --- at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) at Universal.Server.Middleware.WindowsAuthMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\WindowsAuthMiddleware.cs:line 27 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext() --- End of stack trace from previous location --- at Universal.Server.Middleware.SwaggerAuthenticationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\SwaggerAuthMiddleware.cs:line 51 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext() --- End of stack trace from previous location --- at AspNetCoreRateLimit.RateLimitMiddleware1.Invoke(HttpContext context) in C:\actions-runner_work\universal\universal\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 109
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Blockquote

can this be related to the following issue ? c# - OpenIdConnect error "Cannot redirect to the authorization endpoint, the configuration may be missing or invalid" when upgrading to .NET 8.0.x - Stack Overflow

many thanks in advance !

I’ll rollback to 4.2.19 in the meantime

Interesting. I wonder what you’re doing differently from what @insomniacc is doing in his own 5.0.x testing. He said that OIDC worked without a hitch in his post at PSU v4 to v5 issues

I’m using OKTA tho, I should have mentionned it. I truely changed nothing except the PSU version

the variables I’m passing to the container, using env variable, with docker compose are the following regarding OIDC / OKTA:

  - Jwt__Issuer=https://login.company.com/oauth2/<application_id>
  - Jwt__DiscoveryDocument=https://login.company.com/oauth2/<application_id>/.well-known/openid-configuration
  - Jwt__Audience=https://my.psu.com
  - Jwt__RoleClaimType=groups
  - Authentication__OIDC__Enabled=true
  - Authentication__OIDC__ClientID=${Authentication__OIDC__ClientID}
  - Authentication__OIDC__ClientSecret=${Authentication__OIDC__ClientSecret}
  - Authentication__OIDC__Authority=https://login.company.com/oauth2/<application_id>
  - Authentication__OIDC__AcceptAnyServerCertificate=true
  - Authentication__OIDC__CallbackPath=/authorization-code/callback
  - Authentication__OIDC__Scope=openid profile groups offline_access
  - Authentication__OIDC__ResponseType=code
  - Authentication__OIDC__SaveToken=true
  - Authentication__OIDC__UseTokenLifetime=true
  - Authentication__OIDC__GetUserInfo=true

if it may help

OIDC is also working on my end but I’m using Azure. I’ll setup Okta auth similar to yours to see if I can reproduce.

Figured I’d try the new 5.0.0 release (previously i was using rc5). I completed a clean install, fresh db, copied the repository folder over as i have before, this time I’m getting the following when trying to login via OIDC (i’m using Azure as my idp):

IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/XXXXX/.well-known/openid-configuration'. Will retry at '8/21/2024 4:22:17 PM +00:00'. Exception: 'System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/XXXXXX/.well-known/openid-configuration'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Cannot determine the frame size or a corrupted frame was received.
   at System.Net.Security.SslStream.GetFrameSize(ReadOnlySpan`1 buffer)
   at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken cancellationToken, Int32 estimatedSize)
   at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)
   at System.Net.Security.SslStream.ReceiveHandshakeFrameAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.EstablishProxyTunnelAsync(Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.SendAsyncAndRetryOnNetworkError(HttpClient httpClient, Uri uri)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)'.

fyi, i can get to the wellknown config url and see the json myself so no issues with connectivity.

I can’t seem to get past the above error even when navigating to ‘localhost/login’, the url changes to /first-run but the error stays and i cant get to the login form.

Not sure whats causing it, going to just go over it one more time.
Just tried rolling back and testing with RC5, and im getting the same issue there so i’m now thinking I’ve cocked something up.

EDIT:
got it working again on RC5, the steps i took are as follows:

• Full uninstall, made sure prog files folder was removed and also UniversalAutomation and PowershellUniversal folders in programdata
• Fresh install with RC5
• install as a service, with service account, do not start after install
• replace appsettings.json (uses https on localhost)
• Start service
• Set admin password, and login, apply license
• Stop service
• Copy repository folder from v4
• start service and login with OIDC

I’ll try the same process on the latest release and see if that resolves my original issue as above.

EDIT2: Yup, the above worked just fine on the last 5.0.0 release, logging in with OIDC without issue.

I tried this again this morning and didn’t have an issue. SAML2 is not working in 5.0.0 but will be fixed in 5.0.1.

Well, I’m still having issues with OIDC ( OKTA ) and not being able to use v5.0.0 so far.

Always getting the “Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.” with the following error in the logs:

Shall I open a ticket ?

Sure. I did find a GitHub issue in ASP.NET core referring to this error so it may be related. I opened and issue to track here: OIDC Issues · Issue #3640 · ironmansoftware/powershell-universal · GitHub

I deployed the 5.0.1, no luck, rollbacked to 4.3.4 without changing anything and OIDC works.

So are you sure, that nothing changed with 5.0.1 ?

many thanks in advance

It looks like the issue is a package mismatch: [Bug] Well-known openId configuration parsing is causing IDX1050 errors · Issue #2523 · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet · GitHub

We upgraded all the packages to avoid a mismatch in versions, as mentioned in the issue. I still haven’t reproduced this but it will be like this in 5.0.2.

@adam : I just deployed 5.0.2 and I can confirm that OIDC works now !

I’m just having some issues related to roles, but that’s another story