Public bug reported: Description: Ubuntu 24.04.2 LTS
I upgraded a web server from Jammy to Noble and it cannot authenticate against MS Entra ID due to a regression in handling the application registration private key that upstream introduced between the to packaged versions in Ubuntu. Jammy: libapache2-mod-auth-openidc-2.4.11-1 Noble: libapache2-mod-auth-openidc-2.4.15.1-1build3 >From https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4 ... * add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke private_key_jwt authentication to Microsoft Entra ID / Azure AD since 2.4.13 The relevant part of my Apache configuration is ... OIDCPublicKeyFiles /etc/ssl/certs/entra-id.crt OIDCPrivateKeyFiles /etc/ssl/private/entra-id.key OIDCProviderTokenEndpointAuth private_key_jwt Users can log in to this website via MS Entra ID on Jammy, but on Noble the website returns an error to the user and this (redacted) in the logs ... [Wed Feb 26 15:32:09.726271 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_che ck_json_error: response contained an "error" entry with value: ""invalid_client"" [Wed Feb 26 15:32:09.726646 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '****'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/****']. Trace ID: **** Correlation ID: **** Timestamp: 2025-02-26 15:32:09Z"" I see that Plucky has a new enough version packaged to fix this regression (https://launchpad.net/ubuntu/+source/libapache2-mod-auth- openidc/2.4.16.8-1) and when I installed that package from https://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod- auth-openidc/libapache2-mod-auth-openidc_2.4.16.8-1_amd64.deb it worked on my Noble server, allowing users to log in again. Are you able to back port the Plucky version to Noble? ** Affects: libapache2-mod-auth-openidc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2100299 Title: libapache2-mod-auth-openidc application registration key regression in Noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2100299/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
