Microsoft SSO auth OpenID results in JsonWebTokenError

[keesvanbemmel]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

After upgrading to RC99 I needed to reconfigure the Microsoft AUTH provider and I wanted to used openID.

I think I did everything correctly, but it seems that the token is not passed to open id auth driver.

These are the ENV variables to set up SSO (redacted of course):

AUTH_PROVIDERS="microsoft"
AUTH_MICROSOFT_DRIVER="openid"
AUTH_MICROSOFT_CLIENT_ID="00000000-0000-0000-0000-000000000000"
AUTH_MICROSOFT_CLIENT_SECRET="0000000000000000000000"
AUTH_MICROSOFT_SCOPE="openid profile email"
AUTH_MICROSOFT_ISSUER_URL="https://login.microsoftonline.com/<REDACTED-TENANT-ID>/v2.0/.well-known/openid-configuration"

To Reproduce

Added env variables like above, expected it to work like that. So either it's a bug or, more likely, I'm missing a config key?

Errors Shown

07:31:50 ✨ request completed GET 302 /auth/login/microsoft?redirect=?continuehttp://localhost:8055/admin/login 13ms

07:31:51 ⚠️  Invalid user credentials.

07:31:51 ✨ request completed GET 302 /auth/login/microsoft/callback?code=0.AXMAh<REDACTED>&session_state=<REDACTED> 529ms

07:31:51 🚨 JsonWebTokenError jwt must be provided 

JsonWebTokenError: jwt must be provided

    at Object.module.exports [as verify] (/src/node_modules/jsonwebtoken/verify.js:53:17)

    at /src/node_modules/directus/dist/auth/drivers/openid.js:185:63

    at scoped (/src/node_modules/directus/dist/utils/async-handler.js:5:60)

    at Layer.handle [as handle_request] (/src/node_modules/express/lib/router/layer.js:95:5)

    at next (/src/node_modules/express/lib/router/route.js:137:13)

    at Route.dispatch (/src/node_modules/express/lib/router/route.js:112:3)

    at Layer.handle [as handle_request] (/src/node_modules/express/lib/router/layer.js:95:5)

    at /src/node_modules/express/lib/router/index.js:281:22

    at Function.process_params (/src/node_modules/express/lib/router/index.js:335:12)

    at next (/src/node_modules/express/lib/router/index.js:275:10)

    at Function.handle (/src/node_modules/express/lib/router/index.js:174:3)

    at router (/src/node_modules/express/lib/router/index.js:47:12)

    at Layer.handle [as handle_request] (/src/node_modules/express/lib/router/layer.js:95:5)

    at trim_prefix (/src/node_modules/express/lib/router/index.js:317:13)

    at /src/node_modules/express/lib/router/index.js:284:7

    at Function.process_params (/src/node_modules/express/lib/router/index.js:335:12)

07:31:51 ✨ request errored GET 500 /auth/login/microsoft/callback?reason=INVALID_USER 10ms

What version of Directus are you using?

rc99

What version of Node.js are you using?

14lts

What database are you using?

Postgres 13

What browser are you using?

chrome

What operating system are you using?

macos

How are you deploying Directus?

docker

[ms-at-github]

Same issue here but with Auth0 as SSO provider.

AUTH_PROVIDERS="auth0"
AUTH_AUTH0_DRIVER="openid"
AUTH_AUTH0_CLIENT_ID="???????????????"
AUTH_AUTH0_CLIENT_SECRET="??????????????????????????????????"
AUTH_AUTH0_ISSUER_URL="https://???????????.auth0.com/.well-known/openid-configuration"

[mp-itconsulting]

Also same issue with auth0 (was working before with rc96 - rc98)

auth0 configured with openid - driver:

• result = "internal server error"

auth0 configured with oauth2 - driver:

• result = "invalid user"

Auth0 - configuration was working fine before update to rc99 and necessary change of the sso configuration. Auth0 is also working fine with other apps on this server.

I´ve also double checked the configuration parameters, no error. OpenID - configuration is same as described by "ms-at-github"

Tested with chrome and firefox (both latest versions)

[aidenfoxx]

@keesvanbemmel Are you using https://login.microsoftonline.com/<TENANTID>/v2.0/ in the config? If so, you need to replace <TENANTID> with whatever is correct for your integration.

Otherwise I'm fairly sure the errors are caused by: #9053 which already has a fix in place.

@mp-itconsulting @ms-at-github You can verify if you are experiencing the above bug by appending "?test" to your login URL before authenticating with SSO.

[keesvanbemmel]

Hi @aidenfoxx the tenantid is filled out correctly. Just redacted in this issue description for security reasons. I'll edit my original post to show it's redacted.

[ms-at-github]

Hi @aidenfoxx,
yes the JWT error is gone but login still doesn't work. Here the logs:

Oct 26 11:22:39 directus.local npx[5001]: 11:22:39 ✨ request completed GET 200 /auth 11ms Oct 26 11:22:40 directus.local npx[5001]: 11:22:40 ✨ request completed GET 302 /auth/login/auth0?redirect=https://directus.domain/admin/login?continue 8ms Oct 26 11:22:40 directus.local npx[5001]: 11:22:40 ⚠️ Invalid user credentials. Oct 26 11:22:40 directus.local npx[5001]: 11:22:40 ✨ request completed GET 302 /auth/login/auth0/callback?code=MyMTbbsZlbpChRUJvzn_qjPL_O5PryArrXhq99ua0mBEZ 287ms Oct 26 11:22:40 directus.local npx[5001]: 11:22:40 ✨ request completed GET 200 /admin/login?reason=INVALID_USER 1ms

[aidenfoxx]

@ms-at-github What happens if you visit: https://directus.domain/auth/login/auth0 manually? Are you able to get the refresh and access tokens in the response?

[ms-at-github]

Hi @aidenfoxx, when I visit this URL manually, after the redirect to the SSO login page and successful authentication there, I get the following error: {"errors":[{"message":"Invalid user credentials.","extensions":{"code":"INVALID_CREDENTIALS"}}]}

[aidenfoxx]

@ms-at-github And you're sure you have a user with the correct email in your system under the Auth0 provider? The new system doesn't work exactly like the old system, and your user has to match the provider you wish to log in with.

[mp-itconsulting]

@aidenfoxx : I´ve also checked the username and email is identical in directus / auth0. But result is the same as at ms-at-github

[aidenfoxx]

@aidenfoxx : I´ve also checked the username and email is identical in directus / auth0. But result is the same as at ms-at-github

The issue may not be that the details don't match. You have to make sure that your authenticating user has the correct "Provider" attached to them, for example, in the screenshot below my user can only authenticate with Google SSO:

[ms-at-github]

@aidenfoxx, well finally I've got it somehow working. Here are the things I needed to change:

1. changing the default of AUTH_AUTH0_IDENTIFIER_KEY="sub" to "email"

AUTH_PROVIDERS="auth0"
AUTH_AUTH0_DRIVER="openid"
AUTH_AUTH0_CLIENT_ID="???????????????"
AUTH_AUTH0_CLIENT_SECRET="??????????????????????????????????"
AUTH_AUTH0_ISSUER_URL="https://???????????.auth0.com/.well-known/openid-configuration"
AUTH_AUTH0_IDENTIFIER_KEY="email"

2. amend the login URL like you mentioned (append ?Test)
3. changing the "Provider" settings of the user as you described.

Unfortunately I'm unable to login via my local credentials (as fallback) anymore. Not sure if this is the expected behavior, at least it's different to the previous SSO implementation.

[aidenfoxx]

@ms-at-github It is different behavior. We decided for the sake of security with other auth providers (like LDAP) to limit users to only be able to authenticate through one login method. This is why you cannot login to the local account anymore.

I have added a fix so that it will be possible to have 2 seperate Directus accounts linked to the same email (one local, one oauth), but that is the best compromise for now. #9153

[erik-konrad]

We had the same error with Keycloak and OpenID configuration. (no other providers configured)

[aidenfoxx]

@erik-konrad The "default" provider is always configured (the local login). So make sure your users are assigned to your keycloak provider.

[erik-konrad]

@erik-konrad The "default" provider is always configured (the local login). So make sure your users are assigned to your keycloak provider.

Did you mean over the email address? There was a local testaccount with the same email address in the keycloak user.

AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION was set to true too and AUTH_KEYCLOAK_DEFAULT_ROLE_ID was set to admin account UUID.

[aidenfoxx]

@erik-konrad The fact you have an existing user with the same email is most likely the issue. You either need to make sure that no other users share the Keycloak users email, or wait for #9153 to release.

[erik-konrad]

@erik-konrad The fact you have an existing user with the same email is most likely the issue. You either need to make sure that no other users share the Keycloak users email, or wait for #9153 to release.

Nope, I tested it with an existing local user and a non existing. Both ways doesn't work. In both ways I got the "JsonWebTokenError jwt must be provided" error.

Here is my configuration:

AUTH_PROVIDERS="keycloak"
AUTH_KEYCLOAK_DRIVER="openid"
AUTH_KEYCLOAK_CLIENT_ID="directus"
AUTH_KEYCLOAK_CLIENT_SECRET="66793e3b-294b-4b27-b3f4-f948a54a5bd7"
AUTH_KEYCLOAK_ISSUER_URL="http://localhost:8080/auth/realms/master/.well-known/openid-configuration"
AUTH_KEYCLAOK_ALLOW_PUBLIC_REGISTRATION="true"
AUTH_KEYCLOAK_DEFAULT_ROLE_ID="1abcd4b1-129f-4d6c-b729-3003fc05d3a6"

[aidenfoxx]

@erik-konrad You need to read more of the thread. That error is a known and has a fix coming. See here for temporary solution via "?test" #9149 (comment)

[erik-konrad]

@erik-konrad You need to read more of the thread. That error is a known and has a fix coming. See here for temporary solution via "?test" #9149 (comment)

Oh sorry, this was a missunderstanding.

[infomiho]

@aidenfoxx For when is the fixed planned?

[aidenfoxx]

@infomiho It was released in rc100 I believe.

[rijkvanzanten]

@aidenfoxx is correct, this was fixed #9054