Product: PowerShell Universal
Version: 4.2.12
Hello,
since we upgraded Universal from 3.x to 4.2.12 we almost daily get broken OIDC authentication against Azure. Log with error below. After multiple restarts of Universal service it starts to work, but it is getting pretty frustrating. Anyone encountered this issue and managed to find fix?
I have tried to change OIDC settings, but it seems to be broken when compared to 3.x. I cannot achieve the Graph API as additional resource, UI throws Error, command does not set Save Token as specified. I have tried moving configuration from authentication.ps1 to appsettings.json but it behaves just the same, even when stripped to bare basic config as shown below (also note, same config worked on 3.x with no problems)
appsettings.json part for authentication (removed sensitive info):
"Authentication": {
"OIDC": {
"Enabled": "true",
"CallbackPath": "/auth/signin-oidc",
"ClientID": "{id}",
"ClientSecret": "{secret}",
"Resource": "",
"Authority": "https://login.microsoftonline.com/{tenantId}",
"ResponseType": "code",
"SaveTokens": "false",
"CorrelationCookieSameSite": "",
"UseTokenLifetime": true
}
}
Error from log with log level Debug (removed sensitive info):
2024-03-04 10:40:38.413 +01:00 [INF] Request starting HTTP/2 GET https://dashboard.example.com/ - -
2024-03-04 10:40:38.416 +01:00 [INF] Executing ChallengeResult with authentication schemes ([]).
2024-03-04 10:40:38.416 +01:00 [INF] AuthenticationScheme: OpenIdConnect was challenged.
2024-03-04 10:40:38.416 +01:00 [INF] Request finished HTTP/2 GET https://dashboard.example.com/ - - - 302 0 - 3.2910ms
2024-03-04 10:40:38.976 +01:00 [INF] Request starting HTTP/2 POST https://dashboard.example.com/auth/signin-oidc application/x-www-form-urlencoded 3454
2024-03-04 10:40:39.407 +01:00 [INF] Evaluting claims for redacted@example.com, Cache: False
2024-03-04 10:40:39.408 +01:00 [ERR] Connection id "0HN1S5KDRF7KK", Request id "0HN1S5KDRF7KK:00000003": An unhandled exception was thrown by the application.
Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1709545239.408000000","description":"Failed to pick subchannel","file":"..\..\..\src\core\ext\filters\client_channel\client_channel.cc","file_line":3218,"referenced_errors":[{"created":"@1709545239.408000000","description":"failed to connect to all addresses","file":"..\..\..\src\core\lib\transport\error_utils.cc","file_line":165,"grpc_status":14}]}")
---> Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1709545239.408000000","description":"Failed to pick subchannel","file":"..\..\..\src\core\ext\filters\client_channel\client_channel.cc","file_line":3218,"referenced_errors":[{"created":"@1709545239.408000000","description":"failed to connect to all addresses","file":"..\..\..\src\core\lib\transport\error_utils.cc","file_line":165,"grpc_status":14}]}
--- End of inner exception stack trace ---
at ProtoBuf.Grpc.Internal.Reshape.UnaryTaskAsyncImpl[TRequest,TResponse](AsyncUnaryCall`1 call, MetadataContext metadata, CancellationToken cancellationToken) in /_/src/protobuf-net.Grpc/Internal/Reshape.cs:line 300
at Universal.Server.Services.SecurityProxy.AuthorizeAsync(ClaimsPrincipal claimsPrincipal, IEnumerable`1 roles, String userInfo) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Authentication\SecurityProxy.cs:line 250
at Universal.Server.Services.ClaimsEvaluator.EvaluateAsync(ClaimsPrincipal principal, HttpContext httpContext, Boolean cache, String userInfo) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Authentication\ClaimsEvaluator.cs:line 112
at Universal.Server.Startup.<>c.<<ConfigureServices>b__6_28>d.MoveNext() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Startup.cs:line 323
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleSignInAsync(ClaimsPrincipal user, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationService.SignInAsync(HttpContext context, String scheme, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2024-03-04 10:40:39.409 +01:00 [INF] Request finished HTTP/2 POST https://dashboard.example.com/auth/signin-oidc application/x-www-form-urlencoded 3454 - 500 0 - 433.3466ms
Thanks in advance
Jakub