Yes, we are using KeyCloak and use Azure AD for federation in behind it. It’s correctly bootstrapping the email, so it must do some kind of mapping just like the one you mention.
We have a fix. We were using the v1.0 version of the endpoint. When we switch to the v2.0, it works and we get the email just fine. Thanks for all your help @david, talking it through helps us triage the issue.
4 Likes
Glad to hear it!
Would you be able to describe how to tell whether you’re using v1 or v2 in the azure portal? Then we can add a note to the instructions above so it doesn’t catch anyone else!
2 Likes
Yep, adding /v2.0/ to the metadata document url.
https://login.microsoftonline.com/replace-with-tenant-id/v2.0/.well-known/openid-configuration
5 Likes
Perfect, thanks. I’ve added a note to the OP
4 Likes
Hi, I am getting a very similar issue to the OP here. I’m authenticating against NHS.net, which under the hood is Active Directory and probably provided by Azure. I’m using the OIDC plugin and getting the following error:
(oidc) Authentication failure! invalid_credentials: OAuth2::Error,
(the error ends with a comma, and no further data, unlike the OP’s error though)
I’ve tried changing the settings of the authorization and token scope to openid email profile (and these are supported on the OIDC endpoint according to the configuration URL data)
Still getting that same error in the UI ‘Sorry, there was an error authorizing your account. Please try again.’
I’m not getting any data back from the JWT it seems. So it’s not quite the same as the ‘missing email field’ issue, but it started with the same error. The only other place on Meta I can find that error (that seems relevant) is SSL Error during OAuth2 That turned out to be related to an SSL issue (and interestingly NHS.net’s cert does have that issue, which I have reported). But having installed the SSL workaround, the Faraday SSL errors went away. But it does still look as though some part of the OpenID Connect flow is broken still.
Any suggestions on next steps for debugging this?