id_token not recognized

[ntap-jbolle]

Current Behavior

When validation is disabled in config, access is granted, when validation is enabled, access is denied.
In both cases, the following message is logged:

time=2024-05-10T14:59:47.266+02:00 level=WARN msg="provider did not return a id_token. Validation of user data is not possible." ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com

Expected Behavior

Since an id_token is returned, the plugin should recognize it and be able to validate the user.

Steps To Reproduce

Using the following openvpn-auth-oauth2 config file, the error occurs. To create the log files provided and show that basic authentication is not affected, validation has been disabled.


http:
  baseurl: "https://callback.example.com"
  enable-proxy-headers: true
  listen: ":9000"
  secret: "file:///usr/local/etc/openvpn/http.secret"
log:
  format: console
  level: DEBUG
  vpn-client-ip: true
oauth2:
  authorize-params: "a=c"
  client:
    id: "CLIENT_ID"
    secret: file:///usr/local/etc/openvpn/oauth2.client.secret
  endpoint:
    discovery: "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration"
    auth: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
    token: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
  issuer: "https://login.microsoftonline.com/TENANT_ID/v2.0"
  provider: "generic"
  scopes:
    - "openid"
    - "profile"
    - "email"
  validate:
    common-name: "email"
openvpn:
  addr: "tcp://127.0.0.1:166"
  common-name:
    environment-variable-name: "username"
  password: file:///usr/local/etc/openvpn/password.txt

### Environment

- openvpn-auth-oauth2 Version: latest
- OpenVPN Server Version: 2.6.10
- Server OS: FreeBSD 14.0
- OpenVPN Client (flavor, OS): Tunnelblick 4.0.1, MacOS
- OIDC Provider: Azure


### openvpn-auth-oauth2 logs

```shell
time=2024-05-10T14:59:45.124+02:00 level=INFO msg="new client connection" ip=x.x.x.x:4044 cid=34 kid=1 common_name=username@example.com reason=CONNECT session_id="" session_state=""
time=2024-05-10T14:59:45.125+02:00 level=INFO msg="start pending auth" ip=x.x.x.x:4044 cid=34 kid=1 common_name=username@example.com reason=CONNECT session_id="" session_state=""
time=2024-05-10T14:59:45.125+02:00 level=DEBUG msg="client-pending-auth 34 1 \"WEB_AUTH::https://callback.example.com/oauth2/start?state=CV0-AhPALEodUzHeX2pkgJACUvoTHdI4phXg-cKLNxab1uposhRfjjVLpKnuP2Klaq7RMoNjxcCkKlrpyBXnHstjH518IY0Za9glZcE\" 180"
time=2024-05-10T14:59:45.484+02:00 level=INFO msg="initialize authorization via oauth2" ip=x.x.x.x:4044 cid=34 kid=1 common_name=username@example.com
time=2024-05-10T14:59:47.266+02:00 level=WARN msg="provider did not return a id_token. Validation of user data is not possible." ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com
time=2024-05-10T14:59:47.266+02:00 level=DEBUG msg=tokens ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com tokens="&{AccessToken:eyJ0eXAiOiJKV1QiLCJub25jZSI6IkVJU3hlaXZidno5X3V1cF90TXlHNUQxcUZoVUl5Z2FHNFJEazIwYmpCU2siLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80YjA5MTFhMC05MjliLTQ3MTUtOTQ0Yi1jMDM3NDUxNjViM2EvIiwiaWF0IjoxNzE1MzQ1Njg3LCJuYmYiOjE3MTUzNDU2ODcsImV4cCI6MTcxNTM1MTIwMiwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhXQUFBQTRxWGdpMURQNnQrbmNhZklqTmZFUlMzSHc5RHRwbFdSVDROR2JwT0F4M0NiUzJHaXM2U0l2QTI4VnhKSno4enA4V3FSRFZ4dmlualB6T2ppV0pJZWozSU9pM0FxWE1SYVFJT014ZkR0bGZ3PSIsImFtciI6WyJwd2QiLCJtZmEiXSwiYXBwX2Rpc3BsYXluYW1lIjoiY3JlZGF0aXYgQlUgZW1wbG95ZWUgVlBOIHRvIGNyZWRhdGl2IGN1c3RvbWVycyB8IE9JREMgfCBTVEFHRSIsImFwcGlkIjoiN2NlYjMyMmUtNjcxOS00OGJlLTk0YWYtMDE4Y2Y1MzQ4ODc3IiwiYXBwaWRhY3IiOiIxIiwiZGV2aWNlaWQiOiI0NzMwYzc2NC1kZjc2LTQ3ZmUtOTUzOC0zZDcwY2E1ZDM5MzkiLCJmYW1pbHlfbmFtZSI6IkJvbGxlIiwiZ2l2ZW5fbmFtZSI6IkphbiIsImlkdHlwIjoidXNlciIsImlwYWRkciI6IjJhMDI6ODA3MTo1MzYwOjFiZTE6NDFkYTpkNWVjOjNhOGQ6Yzc5NiIsIm5hbWUiOiJCb2xsZSwgSmFuIiwib2lkIjoiMDU5MGU1ODktMjgyOS00YmIyLTg1N2EtMTAzNGYxY2RlM2EyIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTM1Njc2MzctMTkwNjQ1OTI4MS0xNDI3MjYwMTM2LTE5OTE4ODYiLCJwbGF0ZiI6IjUiLCJwdWlkIjoiMTAwMzIwMDFGQ0ExMjZGQiIsInJoIjoiMC5BUTRBb0JFSlM1dVNGVWVVUzhBM1JSWmJPZ01BQUFBQUFBQUF3QUFBQUFBQUFBQU9BSEkuIiwic2NwIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwia21zaSJdLCJzdWIiOiJMYTlMb19lRThLNkZ5NzVpOVJHRmdiai1kUW5CbmNxZ2dKaU5rV1FMSjQ4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiNGIwOTExYTAtOTI5Yi00NzE1LTk0NGItYzAzNzQ1MTY1YjNhIiwidW5pcXVlX25hbWUiOiJqYm9sbGVAbmV0YXBwLmNvbSIsInVwbiI6Impib2xsZUBuZXRhcHAuY29tIiwidXRpIjoiLS1xT1JYX2h1MGktX3dibHV2RkhBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19zdCI6eyJzdWIiOiJ2U3M5TVU0SndMYUphYmQ2ODNMWV81TEw5N0gxYVJWRHk5bzFRZC1TNlZ3In0sInhtc190Y2R0IjoxMzgxODY0OTQyfQ.hyTIgcmupoYTSvw5tk55SSfi8IZffx2VgLIxQLMIMF4as2hw4aduVhk8Tqb9wwzqvJpcKozsNTmA4QN9IZASbkR12FidZLL5-cqw9hBo6rXZ5Bt16mKO375SUr51ALwOirE4lxCgpMZxmWI_vJs30X-sL61x7NA7z2HiKZYqzyzoCpsncJNv48frTbiFRWOMpz7e9XrZodjdb1dSjCL3PZqZiIhuMCmppeCoBzWAfsEdZHc7C2_t5IBhAtWvljG75jA0-lNlk6XVroYUgHW0p5b6VavvSC8HQHELeYJ4zeMJArBTy9LXAxe1VtoQLeNCJpEynr4UMme1WbjRVC-zFw TokenType:Bearer RefreshToken: Expiry:2024-05-10 16:26:41.266536933 +0200 CEST m=+5243.168884172 raw:map[access_token:eyJ0eXAiOiJKV1QiLCJub25jZSI6IkVJU3hlaXZidno5X3V1cF90TXlHNUQxcUZoVUl5Z2FHNFJEazIwYmpCU2siLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80YjA5MTFhMC05MjliLTQ3MTUtOTQ0Yi1jMDM3NDUxNjViM2EvIiwiaWF0IjoxNzE1MzQ1Njg3LCJuYmYiOjE3MTUzNDU2ODcsImV4cCI6MTcxNTM1MTIwMiwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhXQUFBQTRxWGdpMURQNnQrbmNhZklqTmZFUlMzSHc5RHRwbFdSVDROR2JwT0F4M0NiUzJHaXM2U0l2QTI4VnhKSno4enA4V3FSRFZ4dmlualB6T2ppV0pJZWozSU9pM0FxWE1SYVFJT014ZkR0bGZ3PSIsImFtciI6WyJwd2QiLCJtZmEiXSwiYXBwX2Rpc3BsYXluYW1lIjoiY3JlZGF0aXYgQlUgZW1wbG95ZWUgVlBOIHRvIGNyZWRhdGl2IGN1c3RvbWVycyB8IE9JREMgfCBTVEFHRSIsImFwcGlkIjoiN2NlYjMyMmUtNjcxOS00OGJlLTk0YWYtMDE4Y2Y1MzQ4ODc3IiwiYXBwaWRhY3IiOiIxIiwiZGV2aWNlaWQiOiI0NzMwYzc2NC1kZjc2LTQ3ZmUtOTUzOC0zZDcwY2E1ZDM5MzkiLCJmYW1pbHlfbmFtZSI6IkJvbGxlIiwiZ2l2ZW5fbmFtZSI6IkphbiIsImlkdHlwIjoidXNlciIsImlwYWRkciI6IjJhMDI6ODA3MTo1MzYwOjFiZTE6NDFkYTpkNWVjOjNhOGQ6Yzc5NiIsIm5hbWUiOiJCb2xsZSwgSmFuIiwib2lkIjoiMDU5MGU1ODktMjgyOS00YmIyLTg1N2EtMTAzNGYxY2RlM2EyIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTM1Njc2MzctMTkwNjQ1OTI4MS0xNDI3MjYwMTM2LTE5OTE4ODYiLCJwbGF0ZiI6IjUiLCJwdWlkIjoiMTAwMzIwMDFGQ0ExMjZGQiIsInJoIjoiMC5BUTRBb0JFSlM1dVNGVWVVUzhBM1JSWmJPZ01BQUFBQUFBQUF3QUFBQUFBQUFBQU9BSEkuIiwic2NwIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwia21zaSJdLCJzdWIiOiJMYTlMb19lRThLNkZ5NzVpOVJHRmdiai1kUW5CbmNxZ2dKaU5rV1FMSjQ4IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiNGIwOTExYTAtOTI5Yi00NzE1LTk0NGItYzAzNzQ1MTY1YjNhIiwidW5pcXVlX25hbWUiOiJqYm9sbGVAbmV0YXBwLmNvbSIsInVwbiI6Impib2xsZUBuZXRhcHAuY29tIiwidXRpIjoiLS1xT1JYX2h1MGktX3dibHV2RkhBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19zdCI6eyJzdWIiOiJ2U3M5TVU0SndMYUphYmQ2ODNMWV81TEw5N0gxYVJWRHk5bzFRZC1TNlZ3In0sInhtc190Y2R0IjoxMzgxODY0OTQyfQ.hyTIgcmupoYTSvw5tk55SSfi8IZffx2VgLIxQLMIMF4as2hw4aduVhk8Tqb9wwzqvJpcKozsNTmA4QN9IZASbkR12FidZLL5-cqw9hBo6rXZ5Bt16mKO375SUr51ALwOirE4lxCgpMZxmWI_vJs30X-sL61x7NA7z2HiKZYqzyzoCpsncJNv48frTbiFRWOMpz7e9XrZodjdb1dSjCL3PZqZiIhuMCmppeCoBzWAfsEdZHc7C2_t5IBhAtWvljG75jA0-lNlk6XVroYUgHW0p5b6VavvSC8HQHELeYJ4zeMJArBTy9LXAxe1VtoQLeNCJpEynr4UMme1WbjRVC-zFw expires_in:5214 ext_expires_in:5214 id_token:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiI3Y2ViMzIyZS02NzE5LTQ4YmUtOTRhZi0wMThjZjUzNDg4NzciLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNGIwOTExYTAtOTI5Yi00NzE1LTk0NGItYzAzNzQ1MTY1YjNhL3YyLjAiLCJpYXQiOjE3MTUzNDU2ODcsIm5iZiI6MTcxNTM0NTY4NywiZXhwIjoxNzE1MzQ5NTg3LCJhaW8iOiJBWVFBZS84V0FBQUE3K0x3MmllbmlidmJWSVYzSTRONExhUXZERmZ3UXN6YTJheld5aTZ1a0J6NjNtRzY5bWV2TXRROHZETWg1Q2QwM3RZQzdFZjE3Yld5RDEraHVxVnRmdDBqRkNOemRpcm5kOEI1ZDN1Z1ZEWFZoK0hORzY4QmxQZ0l1d0l2VXVnbCtYTm4vZytseFR1RVVXbW42RjMvb1hxeDVOR3pUNUYyTWF1VE82WXhINWs9IiwiZW1haWwiOiJKYW4uQm9sbGVAbmV0YXBwLmNvbSIsIm5hbWUiOiJCb2xsZSwgSmFuIiwibm9uY2UiOiIwMWJmZmNiZWY2YzlmYzJkZDA5NmE2ZGVmNDFiZmVmODJjMzViNzA2ZTMzM2Y1OGM0NWJmM2VmOTkwZTVhZjBjIiwib2lkIjoiMDU5MGU1ODktMjgyOS00YmIyLTg1N2EtMTAzNGYxY2RlM2EyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamJvbGxlQG5ldGFwcC5jb20iLCJyaCI6IjAuQVE0QW9CRUpTNXVTRlVlVVM4QTNSUlpiT2k0eTYzd1paNzVJbEs4QmpQVTBpSGNPQUhJLiIsInN1YiI6InZTczlNVTRKd0xhSmFiZDY4M0xZXzVMTDk3SDFhUlZEeTlvMVFkLVM2VnciLCJ0aWQiOiI0YjA5MTFhMC05MjliLTQ3MTUtOTQ0Yi1jMDM3NDUxNjViM2EiLCJ1dGkiOiItLXFPUlhfaHUwaS1fd2JsdXZGSEFBIiwidmVyIjoiMi4wIn0.eycqEOYlUJSwZYDixy3Vi9L5WjwWEcbHaXRaGC3dPT64TBLM2FTA3hn42xsU7Zy0rptd_QNO5PQHyFB1vnvfqzOojyt11WX0c1KTsCsCPv7PJAZOYtyvO1ptfqXZbtdvAp2cobAgwloLy5hGDTBrJaDndJEjCb6FAqTlaazApV1cn6JydsrWPgDB7oUTWd2UL3OHY6q2Ohnp1P0Izw4KQe-G5iQK9vLCrbJlR1I-gJvpITVJYRP8S1ws9h0NRTWZt8a7jkkX0YsrJjGzRb6wMXMWd5co8_tnTmRxa3y-bjUAj-lX1PoBG0f76IvJUtKCb3U02rZRN9ux6eIcR6db-g scope:openid profile email token_type:Bearer] expiryDelta:0}"
time=2024-05-10T14:59:47.267+02:00 level=INFO msg="successful authorization via oauth2" ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com user.subject="" user.preferred_username=""
time=2024-05-10T14:59:47.267+02:00 level=INFO msg="accept OpenVPN client cid 34, kid 1" ip=x.x.x.x:4044 cid=34 kid=1 session_id="" common_name=username@example.com user.subject="" user.preferred_username=""
time=2024-05-10T14:59:47.267+02:00 level=DEBUG msg="client-auth 34 1\r\npush \"auth-token-user amJvbGxlQG5ldGFwcC5jb20=\"\r\nEND"

openvpn server logs

May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Data Channel: cipher 'AES-256-GCM', peer-id: 0
May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Timers: ping 10, ping-restart 120
May 10 14:58:34 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4065 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
May 10 14:59:16 openvpn-oidc openvpn[1315]: MANAGEMENT: Client disconnected
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50942
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD ''
May 10 14:59:18 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'version'
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_VER=2.6.9
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_PLAT=mac
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_TCPNL=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_MTU=1600
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_NCP=2
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_PROTO=990
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_LZO_STUB=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_COMP_STUB=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_COMP_STUBv2=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5971_4.0.1__build_5971)"
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 peer info: IV_SSO=webauth
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: Username/Password authentication deferred for username 'username@example.com' [CN SET]
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer temporary key: 253 bits X25519
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 [username@example.com] Peer Connection Initiated with [AF_INET]x.x.x.x:4044
May 10 14:59:45 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'client-pending-auth 34 1 "WEB_AUTH::https://callback.example.com/oauth2/start?state=CV0-AhPALEodUzHeX2pkgJACUvoTHdI4phXg-cKLNxab1uposhRfjjVLpKnuP2K
laq7RMoNjxcCkKlrpyBXnHstjH518IY0Za9glZcE" 180'
May 10 14:59:45 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'AUTH_PENDING,timeout 180' (status=1)
May 10 14:59:45 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'INFO_PRE,WEB_AUTH::https://callback.example.com/oauth2/start?state=CV0-AhPALEodUzHeX2pkgJACUvoTHdI4phXg-cKLNxab1uposhRfjjVLpKnuP2
Klaq7RMoNjxcCkKlrpyBXnHstjH518IY0Za9glZcE' (status=1)
May 10 14:59:45 openvpn-oidc openvpn[1315]: x.x.x.x:4044 PUSH: Received control message: 'PUSH_REQUEST'
May 10 14:59:47 openvpn-oidc openvpn[1315]: MANAGEMENT: CMD 'client-auth 34 1'
May 10 14:59:50 openvpn-oidc openvpn[1315]: x.x.x.x:4044 PUSH: Received control message: 'PUSH_REQUEST'
May 10 14:59:50 openvpn-oidc openvpn[1315]: MULTI: new connection by client 'username@example.com' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you w
ant multiple clients using the same certificate or username to concurrently connect.
May 10 14:59:50 openvpn-oidc openvpn[1315]: OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_196a37ce788e3b284c60531f43db4049.tmp
May 10 14:59:50 openvpn-oidc openvpn[1315]: MULTI: no dynamic or static remote--ifconfig address is available for username@example.com/x.x.x.x:4044
May 10 14:59:50 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'PUSH_REPLY...' (status=1)
May 10 14:59:50 openvpn-oidc openvpn[1315]: SENT CONTROL [username@example.com]: 'PUSH_REPLY,auth-token-user amJvbGxlQG5ldGFwcC5jb20=,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu
1500,push-continuation 1' (status=1)
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Data Channel: cipher 'AES-256-GCM', peer-id: 0
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Timers: ping 10, ping-restart 120
May 10 14:59:51 openvpn-oidc openvpn[1315]: username@example.com/x.x.x.x:4044 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

Anything else?

During troubleshooting I added a line to internal/oauth2/providers/generic/user.go to dump the tokens.Token object: dump-tokens-to-debug-log.txt

As can be seen in the logs, only the AccessToken appears to be recognized and extracted while there are both, access_token and id_token contained in the raw:map part of the dump (which I assume is the full response the plugin received?). Using other tools I could also verify that an id_token is included in the response.

[jkroepke]

Ah, interesting bug.

The current workaround is to omit all the manually configured endpoints

  endpoint:
    discovery: "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration"
    auth: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
    token: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"

If endpoints are configured, the underlying library guess, it's oauth2 provider, not an OIDC one and may not parse the id_token.

---

Maybe there a lack of information that the endpoint are not mandatory to configure.

[ntap-jbolle]

Thank you for the incredibly quick reply!

Removing the manually configured endpoints has indeed solved the problem.

[jkroepke]

Please keep that open, since it an bug anyways.