Trying to get OIDC to work and failing

andrew.wood.wb · August 26, 2020, 9:45am

I have set up the OIDC settings in appsettings.json to talk to Okta (the parts have the real values in obvs.).

	"OIDC": {
		"Enabled": "true",
		"CallbackPath": "/auth/signin-oidc",
		"ClientID": "<ClientID>",
		"ClientSecret": "<ClientSecret>",
		"Resource": "",
		"Authority": "https://<Domain>.okta.com/oauth2/default/",
		"ResponseType": "code",
		"SaveTokens": "false"
	}

But It doesn’t seem to work.

I noticed in the logs the following. (site.domain.com represents our real FQDN) which looks like CORS might not be properly configured in PU itself?

2020-08-26T09:34:13.3748411+00:00 0HM29KCOP17K2:00000001 [INF] Request starting HTTP/1.1 GET https://site.domain.com/login   (ca22a1cb)
2020-08-26T09:34:13.9225738+00:00 0HM29KCOP17K2:00000001 [INF] /login (68a5683a)
2020-08-26T09:34:13.9653921+00:00 0HM29KCOP17K2:00000001 [INF] Request finished in 595.7193ms 200 text/html (791a596a)
2020-08-26T09:34:14.0884360+00:00 0HM29KCOP17K2:00000002 [INF] Request starting HTTP/1.1 GET https://site.domain.com/login/favicon.ico   (ca22a1cb)
2020-08-26T09:34:14.2456307+00:00 0HM29KCOP17K2:00000002 [INF] /login/favicon.ico (d0ff7f98)
2020-08-26T09:34:14.2458367+00:00 0HM29KCOP17K2:00000002 [INF] C:\Program Files (x86)\Universal\Login\favicon.ico (762f299d)
2020-08-26T09:34:14.2459993+00:00 0HM29KCOP17K2:00000002 [INF] image/x-icon (44e8ed0d)
2020-08-26T09:34:14.2583430+00:00 0HM29KCOP17K2:00000002 [INF] Executing "Microsoft.AspNetCore.Mvc.PhysicalFileResult", sending file '"C:\Program Files (x86)\Universal\Login\favicon.ico"' with download name '""' ... (5a6f99a2)
2020-08-26T09:34:14.2953935+00:00 0HM29KCOP17K2:00000002 [INF] Request finished in 206.9824ms 200 image/x-icon (791a596a)
2020-08-26T09:34:57.0190466+00:00 0HM29KCOP17K2:00000003 [INF] Request starting HTTP/1.1 POST https://site.domain.com/api/v1/signin application/json 88 (ca22a1cb)
2020-08-26T09:34:57.0281939+00:00 0HM29KCOP17K2:00000003 [INF] CORS policy execution failed. (09b6f179)
2020-08-26T09:34:57.0283350+00:00 0HM29KCOP17K2:00000003 [INF] Request origin "https://site.domain.com" does not have permission to access the resource. (a03d560b)
2020-08-26T09:34:57.4532332+00:00 0HM29KCOP17K2:00000003 [INF] Executing endpoint '"UniversalDashboard.Controllers.AuthenticationController.SignIn (Universal.Server)"' (500cc934)
2020-08-26T09:34:57.4921170+00:00 0HM29KCOP17K2:00000003 [INF] Route matched with "{action = \"SignIn\", controller = \"Authentication\"}". Executing controller action with signature "System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] SignIn(UniversalDashboard.Controllers.Credential)" on controller "UniversalDashboard.Controllers.AuthenticationController" ("Universal.Server"). (122b2fdf)
2020-08-26T09:34:58.1387459+00:00 0HM29KCOP17K2:00000003 [INF] Executing JsonResult, writing value of type '"<>f__AnonymousType0`1[[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]"'. (2f513669)
2020-08-26T09:34:58.1537428+00:00 0HM29KCOP17K2:00000003 [INF] Executed action "UniversalDashboard.Controllers.AuthenticationController.SignIn (Universal.Server)" in 653.8807ms (afa2e885)
2020-08-26T09:34:58.1539533+00:00 0HM29KCOP17K2:00000003 [INF] Executed endpoint '"UniversalDashboard.Controllers.AuthenticationController.SignIn (Universal.Server)"' (99874f2b)
2020-08-26T09:34:58.1542800+00:00 0HM29KCOP17K2:00000003 [INF] Request finished in 1135.4041ms 200 application/json; charset=utf-8 (791a596a)
2020-08-26T09:35:01.4591835+00:00  [INF] Starting groom job. (bad5cbbf)

jcastle · September 22, 2020, 1:23pm

I’m having the same issue with OIDC in Powershell Universal.
The only account that I can get to work with OIDC is our Azure AD Global Admin. For some reason, that account is working perfectly fine.

For all other accounts in Azure AD, we are getting the above error with:

    2020-09-22T06:18:35.0741892-07:00 0HM2UV7PDIH43:00000002 [INF] Request starting HTTP/1.1 POST http://universal.domain.com/auth/signin-oidc application/x-www-form-urlencoded 1417 (ca22a1cb)
    2020-09-22T06:18:35.0790540-07:00 0HM2UV7PDIH43:00000002 [INF] CORS policy execution failed. (09b6f179)
    2020-09-22T06:18:35.0792009-07:00 0HM2UV7PDIH43:00000002 [INF] Request origin "https://login.microsoftonline.com" does not have permission to access the resource. (a03d560b)

Did you have any luck finding a solution?

adam · September 22, 2020, 1:50pm

This may be a bug in how we configure CORS in PowerShell Universal. We’re adding a setting in 1.4 for you to allow specific origins to make cross domain calls so you’d be able to add login.microsoftonline.com to the allow list. Not sure why the admin one works though…

andrew.wood.wb · February 10, 2021, 11:39am

Fixed in PU 1.5.11

Topic		Replies	Views
Help with Okta setup PowerShell Universal	4	563	April 5, 2022
OIDC authentication: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid PowerShell Universal	0	56	September 27, 2024
Random errors during OIDC signin PowerShell Universal	0	150	March 4, 2024
OIDC redirect loop PowerShell Universal	3	395	October 14, 2022
How to acces my Endpoint with Okta OIDC	1	293	June 23, 2022

Trying to get OIDC to work and failing

Related topics