Browser Redirect to 404 After Successful OIDC Client Authorization

[arjun-udaan]

I’m encountering an issue when setting up OIDC with Azure. After a successful client authorization, the browser redirects to https://domain.com/authorise/oidc?code=XXXXX but results in a 404 page not found error.

The logs from WAG only show the user registering with OIDC and do not indicate if the process is completed or if there’s an error:

2024/09/17 09:09:16 deauthed user:10.1.2.249 device, reason: session terminated
2024/09/17 09:09:40 user 10.1.2.249 registering with oidc

Configuration:

{
    "NumberProxies": 0,
    "Proxied": false,
    "HelpMail": "[email protected]",
    "Lockout": 5,
    "ExternalAddress": "domain.com",
    "MaxSessionLifetimeMinutes": 1440,
    "SessionInactivityTimeoutMinutes": 60,
    "ManagementUI": {
        "ListenAddress": "172.31.0.1:4433",
        "Enabled": true,
        "Debug": false
    },
    "Webserver": {
        "Public": {
            "ListenAddress": ":443",
            "CertPath": "/etc/letsencrypt/fullchain.pem",
            "KeyPath": "/etc/letsencrypt/privkey.pem"
        },
        "Tunnel": {
            "Port": "445"
        }
    },
    "Authenticators": {
        "Issuer": "IT",
        "Methods": [
            "oidc"
        ],
        "DomainURL": "https://domain.com",
        "OIDC": {
            "IssuerURL": "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize",
            "ClientSecret": "secret",
            "ClientID": "clientid",
            "GroupsClaimName": "groups"
        },
        "PAM": {
            "ServiceName": ""
        }
    },
    "Clustering": {
        "ClusterState": "new",
        "ETCDLogLevel": "error",
        "Witness": false,
        "TLSManagerListenURL": "https://172.31.0.1:3434"
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 5920,
        "PrivateKey": "key",
        "Address": "10.1.2.1/24",
        "MTU": 0,
        "ServerPersistentKeepAlive": 0
    },
    "DatabaseLocation": "devices.db",
    "Acls": {
        "Policies": {}
    }
}

Additional Observations:

• The OIDC callback URL does not update once the service starts. Even after changing the web server port in the config, the callback URL continues to use the old port.

logs:
2024/09/17 09:30:44 Started control socket: /tmp/wag.sock **2024/09/17 09:30:44 OIDC callback: https://domain:8080/authorise/oidc** 2024/09/17 09:30:44 Connecting to OIDC provider: https://login.microsoftonline.com/tenant/v2.0 2024/09/17 09:30:44 Connected! 2024/09/17 09:30:44 Started listening: Tunnel Listener: 10.1.2.1:445 Public Listener: :443 2024/09/17 09:30:44 Started Managemnt UI: Listening: 172.31.0.1:4433

Any assistance in resolving this would be greatly appreciated.

[NHAS]

Hi there,

To take a stab in the dark I expect you've missed a trailing slash:
https://domain.com/authorise/oidc?code=XXXXX should be https://domain.com/authorise/oidc/?code=XXXXX

[arjun-udaan]

Thank you for responding back
I did a quick test by adding a trailing / to the redirect URL, but this introduced a new error from Microsoft which kinda make sense

Sorry, but we’re having trouble signing you in.

AADSTS50011: The redirect URI 'https://domain/authorise/oidc' specified in the request does not match the redirect URIs configured for the application 'XXXXX'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
This error makes sense as the URL in the request does not match the one configured in the Azure portal.

From the WAG logs:
OIDC callback URL: https://domain/authorise/oidc

[NHAS]

That looks like you haven't configured the new allowed url redirection in your azure tenancy with the new end slash.