@Alexander Bokovoy
thanks, I already managed to get those oidc_child logs working, my bad was
using command journalctl --follow /usr/libexec/ipa/ipa-otpd instead of
journalctl -u 'ipa-otpd@*'. First one does not show entries for oidc_child
module.
However I still have an issue with making all in correct way. Right now in logs
I see the debug from oidc_child as follows:
---
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: oidc_child started.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Running with effective
IDs: [0][0].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Running with real IDs
[0][0].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: POST data:
[client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&scope=openid%20email].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Trying
40.126.32.134:443...
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connected to
login.microsoftonline.com (40.126.32.134) port 443 (#0)
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers
h2
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers
http/1.1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CApath: none
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.0
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3
(OUT), TLS handshake, Client hello (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3
(IN), TLS handshake, Server hello (2):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Certificate (11):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Server key exchange (12):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Server finished (14):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS handshake, Client key exchange (16):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS change cipher, Change cipher spec (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL
connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: server
did not agree on a protocol. Uses default.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Server
certificate:
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subject:
C=US; ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * start date:
Nov 23 00:00:00 2022 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * expire
date: Nov 23 23:59:59 2023 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's "login.microsoftonline.com"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * issuer:
C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL
certificate verify ok.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: > POST
/tribecloud.io/oauth2/v2.0/devicecode HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD
oidc_child/0.0
Accept: application/json
Content-Length: 67
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Mark bundle
as not supporting multiuse
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < HTTP/1.1 200
OK
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Cache-Control: no-store, no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Pragma:
no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Content-Type: application/json; charset=utf-8
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Expires: -1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < P3P: CP="DSP CUR
OTPi IND OTRi ONL FIN"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
x-ms-request-id: 014b3632-ddc0-4839-9c72-0e2db29e5801
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
x-ms-ests-server: 2.1.14357.8 - WUS2 ProdSlices
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-XSS-Protection: 0
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
fpc=As0myY4HXlRGqToBI5iddslFIKkQAQAAAHgaW9sOAAAA; expires=Sat, 18-Feb-2023
11:03:21 GMT; path=/; secure; HttpOnly; SameSite=None
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevr2WDnL_0XB-iwfnnong0trzC_uc3OCM3WPjG4ZFSjA9kHMyjRbq1j8NNF624I23jb-u_xnjvRjxWf_XBJAaNoAOomKrBE4WMayXpxS8c5_D5tnCwBFbiULEn4YmrEJZ0L0a8ZHk-BbJvvabchoBhXf6kZAicLv_9y0FfwXrYR__sgAA;
domain=.login.microsoftonline.c>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Date: Thu,
19 Jan 2023 11:03:20 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Content-Length: 473
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]:
{"user_code":"RN8FF7RAW","device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA","verification_uri":">
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connection
#0 to host login.microsoftonline.com left intact
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: Result does not contain
the 'verification_uri_complete' string.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: user_code: [RN8FF7RAW].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: verification_uri:
[https://microsoft.com/devicelogin].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]:
verification_uri_complete: [-].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: message: [To sign in,
use a web browser to open the page https://microsoft.com/devicelogin and enter
the code RN8FF7RAW to authenticate.].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: device_code:
[RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: expires_in: [900].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: interval: [5].
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYW>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Trying
20.190.160.17:443...
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connected to
login.microsoftonline.com (20.190.160.17) port 443 (#0)
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers
h2
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: offers
http/1.1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CAfile:
/etc/pki/tls/certs/ca-bundle.crt
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * CApath: none
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.0
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3
(OUT), TLS handshake, Client hello (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.3
(IN), TLS handshake, Server hello (2):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Certificate (11):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Server key exchange (12):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Server finished (14):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS handshake, Client key exchange (16):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS change cipher, Change cipher spec (1):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Certificate Status (22):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS handshake, Finished (20):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL
connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * ALPN: server
did not agree on a protocol. Uses default.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Server
certificate:
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subject:
C=US; ST=Washington; L=Redmond; O=Microsoft Corporation;
CN=stamp2.login.microsoftonline.com
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * start date:
Nov 23 00:00:00 2022 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * expire
date: Nov 23 23:59:59 2023 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * subjectAltName: host
"login.microsoftonline.com" matched cert's "login.microsoftonline.com"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * issuer:
C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * SSL
certificate verify ok.
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(OUT), TLS header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: > POST
/tribecloud.io/oauth2/v2.0/token HTTP/1.1
Host:
login.microsoftonline.com
User-Agent: SSSD
oidc_child/0.0
Accept: application/json
Content-Length: 322
Content-Type:
application/x-www-form-urlencoded
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * TLSv1.2
(IN), TLS header, Supplemental data (23):
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Mark bundle
as not supporting multiuse
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < HTTP/1.1 400
Bad Request
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Cache-Control: no-store, no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Pragma:
no-cache
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Content-Type: application/json; charset=utf-8
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Expires: -1
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Strict-Transport-Security: max-age=31536000; includeSubDomains
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-Content-Type-Options: nosniff
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < P3P: CP="DSP CUR
OTPi IND OTRi ONL FIN"
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
x-ms-request-id: c5c67625-69b8-4630-b214-c3f13a92ea01
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
x-ms-ests-server: 2.1.14357.8 - WUS2 ProdSlices
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
X-XSS-Protection: 0
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
fpc=AlWBH3O1bZdElx1faSMFzDo; expires=Sat, 18-Feb-2023 11:03:21 GMT; path=/;
secure; HttpOnly; SameSite=None
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Set-Cookie:
stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: < Date: Thu,
19 Jan 2023 11:03:21 GMT
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Content-Length: 510
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: <
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]:
{"error":"authorization_pending","error_description":"AADSTS70016: OAuth 2.0
device flow error. Authorization is pending. Continue polling.\r\nTrace ID:
c5c67625-69b8-4630-b214-c3f13a92ea01\r\nCorrelation ID: dd042106-e670-49b0-8ea2-a625faf3e5e9\r\nTimestamp:
2023-01-1>
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: libcurl: * Connection
#0 to host login.microsoftonline.com left intact
Jan 19 12:03:21 server.ipademo.local oidc_child[10230]: oidc_child finished
successful!
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1@IPADEMO.LOCAL: Received:
[{"device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYWELFeXPqlDUuG0BdWxVqMQjD1SXNv_Y5MlhiZWmjDcxZ3viKjOlT4H7QXnQO-tsgAA","expires_i>
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: oauth2 {"verification_uri":
"https://microsoft.com/devicelogin";, "user_code": "RN8FF7RAW"}
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: ]
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: oauth2.c:088: Child
finished with status [0].
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1@IPADEMO.LOCAL:
sent: 0 data: 371
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1@IPADEMO.LOCAL:
..sent: 371 data: 371
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: testuser1@IPADEMO.LOCAL:
response sent: Access-Challenge
Jan 19 12:03:21 server.ipademo.local ipa-otpd[10229]: Socket closed, shutting
down...
Jan 19 12:03:21 server.ipademo.local systemd[1]: ipa-otpd@15-9208-0.service:
Deactivated successfully.
---
about my Azure AD app - the OAuth endpoint is public. I've tried also to the
request and do the same flow via postman and I got an answer together with
token:
i'm just sending POST
on https://login.microsoftonline.com/tribecloud.io/oauth2/v2.0/devicecode
with parameters like client_id and scope (no secret key, as it is a public
endpoint), then I got response:
---
{
"user_code": "EQPA5W6ET",
"device_code":
"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr0elsjKu9xwm7ajAtm02ZjMk2iGKqXSCo6IUOZhvxhcbkdpvx743zNy6rJDoQpZUxwqoODVdbdqsfd_F_zg5lnwQ5Iub1eHrSyOpges6llmDXaTtDzVToHEsRPdSHN7L35SVTworyaAaESoj9DgL6NdFMewFgOSDO-ExewV-dGTYgAA",
"verification_uri": "https://microsoft.com/devicelogin";,
"expires_in": 900,
"interval": 5,
"message": "To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code EQPA5W6ET to authenticate."
}
---
then im going on https://microsoft.com/devicelogin and im succesfully
logging in azure, and then i'm doing another POST on
https://login.microsoftonline.com/tribecloud.io/oauth2/v2.0/token with
grant_type = urn:ietf:params:oauth:grant-type:device_code
client_id = <MY CLIENT ID>
device_code = the one from above
(EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr0elsjKu9xwm7ajAtm02ZjMk2iGKqXSCo6IUOZhvxhcbkdpvx743zNy6rJDoQpZUxwqoODVdbdqsfd_F_zg5lnwQ5Iub1eHrSyOpges6llmDXaTtDzVToHEsRPdSHN7L35SVTworyaAaESoj9DgL6NdFMewFgOSDO-ExewV-dGTYgAA)
and I get response:
---
{
"token_type": "Bearer",
"scope": "email openid profile",
"expires_in": 4701,
"ext_expires_in": 4701,
"access_token":
"eyJ0eXAiOiJKV1QiLCJub25jZSI6IjdOZUpOc2hnVW9EUG1JREwxbVZkUThQUUUxeHNWMnJrQmwyUEw3YmRoVWciLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI3NDEyLCJuYmYiOjE2NzQxMjc0MTIsImV4cCI6MTY3NDEzMjQxNCwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhUQUFBQWRsNzB4bWRUTGZZdE9mUjJIMnpxSjRMQzJNZmJGdGdGUFlGSVJkV0hDLzliVXJNcnlsTHJaY1M1Q2RsSG9IMzFub00veW56V0ZKMXVPa3FNWmJZeTFoaFhick9yYjYveHN5anlkN1ZTcjJnPSIsImFtciI6WyJwd2QiLCJtZmEiXSwiYXBwX2Rpc3BsYXluYW1lIjoiZnJlZS1pcGEiLCJhcHBpZCI6ImNiYzBiY2RlLTNlNTUtNGIxMi05OTE2LWJkZGEwYjcwNjk1MyIsImFwcGlkYWNyIjoiMCIsImZhbWlseV9uYW1lIjoiWmF3a28iLCJnaXZlbl9uYW1lIjoiU2ViYXN0aWFuIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiODkuNjQuNzkuNDgiLCJuYW1lIjoiU2ViYXN0aWFuIFphd2tvIiwib2lkIjoiZGYxZTBmNTItMmU2Yi00OTY0LWEzNTktZjY1MDUwMGI4MjJi
IiwicGxhdGYiOiIxNCIsInB1aWQiOiIxMDAzMjAwMDkzMkRBRDkyIiwicmgiOiIwLkFUVUFpYUlRQUhIUFBrdXVVbC1aZVBCVU9RTUFBQUFBQUFBQXdBQUFBQUFBQUFBMUFEQS4iLCJzY3AiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6InNSdlc1cEpXUmVkeE0zdEVnT0FvN3RPSDhMU0c2QXdfSWJEWDkxLW83ZGsiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiIwMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkiLCJ1bmlxdWVfbmFtZSI6InNlYmFzdGlhbkB0cmliZWNsb3VkLmlvIiwidXBuIjoic2ViYXN0aWFuQHRyaWJlY2xvdWQuaW8iLCJ1dGkiOiJwVzYwWkNnXzNrNjV3aFc5WElrU0FRIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiLCJmZGQ3YTc1MS1iNjBiLTQ0NGEtOTg0Yy0wMjY1MmZlOGZhMWMiLCJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3N0Ijp7InN1YiI6IktNTzZsM0MwRjM5ZTJaTzI4QmNHbzdBcXgza1QxSkNyRHdoMjg3bVhXcVUifSwieG1zX3RjZHQiOjE1NzcxMTYzNjZ9.V5sg2mQPZb9YYdTKv1TqmoGXZdHGdAfMnlVoXoJ7Cd2jgEpoZpHlpcAuW-1tYy0SbOWe1kS9y3n-OjwQS7ex19cLvffOVKx9WARrvsQuRjtAHLJWZQnoXgk_ql4ezLzWeiMJvhihobq00mq5cS5-N4wX0VRp4bDWy1niWA8Oeehg1b7Xqs8aOoqjQ0UD
1UfabJFhC1d663mQY8gutKuHcHr4zL1plhEoUwbl7KYZ6z9a71SBy7c0XYFEtWdPJfSxeeOJUd2uTILOCLm6NHKniLkEFUf9rARwOe9BUETpRQ9AacfXVBEjkMjT4alSuzCROVjU90pXbLAJEM3AxffzTQ",
"id_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJjYmMwYmNkZS0zZTU1LTRiMTItOTkxNi1iZGRhMGI3MDY5NTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMDAxMGEyODktY2Y3MS00YjNlLWFlNTItNWY5OTc4ZjA1NDM5L3YyLjAiLCJpYXQiOjE2NzQxMjc0MTIsIm5iZiI6MTY3NDEyNzQxMiwiZXhwIjoxNjc0MTMxMzEyLCJhaW8iOiJBV1FBbS84VEFBQUFwd2d1R2laU2xJbURsS0dXNUsxa1VmdFFFaUNQT0o1RU1HVnFyUUZ1c2xaOVpXbzNGL1FEbUNiTVpKaGc5a3prbVJYNklqUUp0dGY2d1BaeS81ZlI5VnB5dEtEQ1pQQmY0NmFEVlhSVk02ZnVJS3c1U0JQRG9wb1JNcUkxZFZrUiIsInJoIjoiMC5BVFVBaWFJUUFISFBQa3V1VWwtWmVQQlVPZDY4d010VlBoSkxtUmE5Mmd0d2FWTTFBREEuIiwic3ViIjoiS01PNmwzQzBGMzllMlpPMjhCY0dvN0FxeDNrVDFKQ3JEd2gyODdtWFdxVSIsInRpZCI6IjAwMTBhMjg5LWNmNzEtNGIzZS1hZTUyLTVmOTk3OGYwNTQzOSIsInV0aSI6InBXNjBaQ2dfM2s2NXdoVzlYSWtTQVEiLCJ2ZXIiOiIyLjAifQ.Ax-s9Szowwkn6D_Wg-ornGwJsWj2tif5DwK0SIC77g7dke2OW46czhdnvu5z6ThU8A78usbfwPYl00LUZhO9VFubMCNZWkYsMgKdgBleXWNYRXuO00AzQE7dhyzLfcanlyhNELlzMtKw62aCzN5mMR2hDhbGTK4poNS2vYvBfJXL2to3uHvEDG4L7
eaezj6JgqsaJk-ua1RqxDdQNZOSPVHYVUC6wMJSx24ycipcN4WfRCv7kteJhzbri9IAno8uVVIJmLMOBjnv3rj9YIbkb8z7XUfyYk_GyCozDR1CxWzm6whPV1RsiQtGMkmtRVZP40ZrwmyE4qTON7OR_ZgkZQ"
}
---
So i'm pretty sure that the OAuth2.0 endpoint is working and issue
exist on the freeipa server rather than in Azure AD config.
form the logs I see that this oidc_child is doing very similar:
---
POST data:
[grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrhWWyMWUqb27PqWs7AaRbX408sSEVj4BDOkIs8KP95SdjheVqqoVQx7xfnvZ5Qjk8W0zlA2iYKbFBMYq6uNAmN57CO9BOEB74yYc0NCoyOskYW
---
but in response I see:
---
libcurl: < HTTP/1.1 400 Bad Request
---
and eventually
---
{"error":"authorization_pending","error_description":"AADSTS70016: OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID:
c5c67625-69b8-4630-b214-c3f13a92ea01\r\nCorrelation ID: dd042106-e670-49b0-8ea2-a625faf3e5e9\r\nTimestamp: 2023-01-19
11:03:21Z","error_codes":[70016],"timestamp":"2023-01-19
11:03:21Z","trace_id":"c5c67625-69b8-4630-b214-c3f13a92ea01","correlation_id":"dd042106-e670>
---
so it looks like oidc is doing similar request like me via postman but
for some reason the response is 400 instead of token.
