You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When validation is disabled in config, access is granted, when validation is enabled, access is denied.
In both cases, the following message is logged:
time=2024-05-10T14:59:47.266+02:00 level=WARN msg="provider did not return a id_token. Validation of user data is not possible." ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com
Expected Behavior
Since an id_token is returned, the plugin should recognize it and be able to validate the user.
Steps To Reproduce
Using the following openvpn-auth-oauth2 config file, the error occurs. To create the log files provided and show that basic authentication is not affected, validation has been disabled.
http:
baseurl: "https://callback.example.com"
enable-proxy-headers: true
listen: ":9000"
secret: "file:///usr/local/etc/openvpn/http.secret"
log:
format: console
level: DEBUG
vpn-client-ip: true
oauth2:
authorize-params: "a=c"
client:
id: "CLIENT_ID"
secret: file:///usr/local/etc/openvpn/oauth2.client.secret
endpoint:
discovery: "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration"
auth: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
token: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
issuer: "https://login.microsoftonline.com/TENANT_ID/v2.0"
provider: "generic"
scopes:
- "openid"
- "profile"
- "email"
validate:
common-name: "email"
openvpn:
addr: "tcp://127.0.0.1:166"
common-name:
environment-variable-name: "username"
password: file:///usr/local/etc/openvpn/password.txt
May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Data Channel: cipher 'AES-256-GCM', peer-id: 0
May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Timers: ping 10, ping-restart 120
May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
May 10 14:59:16 openvpn-oidc openvpn[1315]: MANAGEMENT: Client disconnected
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50942
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD ''
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'version'
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_VER=2.6.9
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_PLAT=mac
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_TCPNL=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_MTU=1600
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_NCP=2
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_PROTO=990
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_LZO_STUB=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_COMP_STUB=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_COMP_STUBv2=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5971_4.0.1__build_5971)"
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_SSO=webauth
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: Username/Password authentication deferred for username 'username@example.com' [CN SET]
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer temporary key: 253 bits X25519
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 [username@example.com] Peer Connection Initiated with [AF_INET]x.x.x.x:4044
May 10 14:59:45 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'client-pending-auth 34 1 "WEB_AUTH::https://callback.example.com/oauth2/start?state=CV0-AhPALEodUzHeX2pkgJACUvoTHdI4phXg-cKLNxab1uposhRfjjVLpKnuP2Klaq7RMoNjxcCkKlrpyBXnHstjH518IY0Za9glZcE" 180'
May 10 14:59:45 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'AUTH_PENDING,timeout 180' (status=1)
May 10 14:59:45 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'INFO_PRE,WEB_AUTH::https://callback.example.com/oauth2/start?state=CV0-AhPALEodUzHeX2pkgJACUvoTHdI4phXg-cKLNxab1uposhRfjjVLpKnuP2Klaq7RMoNjxcCkKlrpyBXnHstjH518IY0Za9glZcE' (status=1)
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 PUSH: Received control message: 'PUSH_REQUEST'
May 10 14:59:47 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'client-auth 34 1'
May 10 14:59:50 openvpn-oidc openvpn[1315]: x.x.x.x:4044 PUSH: Received control message: 'PUSH_REQUEST'
May 10 14:59:50 openvpn-oidc openvpn[1315]: MULTI: new connection by client 'username@example.com' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you w
ant multiple clients using the same certificate or username to concurrently connect.
May 10 14:59:50 openvpn-oidc openvpn[1315]: OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_196a37ce788e3b284c60531f43db4049.tmp
May 10 14:59:50 openvpn-oidc openvpn[1315]: MULTI: no dynamic or static remote--ifconfig address is available for username@example.com/x.x.x.x:4044
May 10 14:59:50 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'PUSH_REPLY...' (status=1)
May 10 14:59:50 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'PUSH_REPLY,auth-token-user amJvbGxlQG5ldGFwcC5jb20=,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu1500,push-continuation 1' (status=1)
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Data Channel: cipher 'AES-256-GCM', peer-id: 0
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Timers: ping 10, ping-restart 120
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Anything else?
During troubleshooting I added a line to internal/oauth2/providers/generic/user.go to dump the tokens.Token object: dump-tokens-to-debug-log.txt
As can be seen in the logs, only the AccessToken appears to be recognized and extracted while there are both, access_token and id_token contained in the raw:map part of the dump (which I assume is the full response the plugin received?). Using other tools I could also verify that an id_token is included in the response.
The text was updated successfully, but these errors were encountered:
Current Behavior
When validation is disabled in config, access is granted, when validation is enabled, access is denied.
In both cases, the following message is logged:
time=2024-05-10T14:59:47.266+02:00 level=WARN msg="provider did not return a id_token. Validation of user data is not possible." ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com
Expected Behavior
Since an id_token is returned, the plugin should recognize it and be able to validate the user.
Steps To Reproduce
openvpn server logs
Anything else?
During troubleshooting I added a line to
internal/oauth2/providers/generic/user.go
to dump thetokens.Token
object: dump-tokens-to-debug-log.txtAs can be seen in the logs, only the
AccessToken
appears to be recognized and extracted while there are both,access_token
andid_token
contained in theraw:map
part of the dump (which I assume is the full response the plugin received?). Using other tools I could also verify that anid_token
is included in the response.The text was updated successfully, but these errors were encountered: