Yes, we are using KeyCloak and use Azure AD for federation in behind it. It’s correctly bootstrapping the email, so it must do some kind of mapping just like the one you mention.
We have a fix. We were using the v1.0 version of the endpoint. When we switch to the v2.0, it works and we get the email just fine. Thanks for all your help @david, talking it through helps us triage the issue.
Glad to hear it!
Would you be able to describe how to tell whether you’re using v1 or v2 in the azure portal? Then we can add a note to the instructions above so it doesn’t catch anyone else!
Yep, adding /v2.0/ to the metadata document url.
https://login.microsoftonline.com/replace-with-tenant-id/v2.0/.well-known/openid-configuration
Perfect, thanks. I’ve added a note to the OP
你好,我遇到了与原始发帖人非常类似的问题。我正在对 NHS.net 进行身份验证,其底层是 Active Directory,可能由 Azure 提供。我使用的是 OIDC 插件,并收到以下错误:
(oidc) 身份验证失败!invalid_credentials: OAuth2::Error,
(错误以逗号结尾,没有更多数据,尽管这与原始发帖人的错误不同)
我尝试将授权和令牌范围设置为 openid email profile(根据配置 URL 数据,OIDC 端点支持这些范围)。
但在 UI 中仍然收到相同的错误:“抱歉,授权您的账户时出错。请重试。”
似乎没有从 JWT 返回任何数据。因此,这与“缺少 email 字段”的问题并不完全相同,但它是从相同的错误开始的。我在 Meta 上找到的另一个与该错误相关(且似乎相关)的地方是 https://meta.discourse.org/t/ssl-error-during-oauth2/135257。该问题后来被证实与 SSL 问题有关(有趣的是,NHS.net 的证书确实存在该问题,我已经报告了)。但在安装了 SSL 变通方案后,Faraday SSL 错误消失了。不过,看起来 OpenID Connect 流程的某个部分仍然存在问题。
对于下一步调试,有什么建议吗?