OIDC authentication fails because of missing email claim

Graylog Central (peer support)
1

Hey friends,

I’ve set up OIDC authentication in graylog, and the “Test Server Connection” function works great. However, after logging into Graylog using my Office365 credentials, I get “Login failed. This might be a temporary problem. Please try again.”. Looking at graylog logs, I see this:

2023-08-01T23:50:38.153Z WARN [BearerTokenRealm] Failed to authenticate username <> with backend <Office365/oidc/64c87c0d79bc2e5e852a296a>
2023-08-01T23:50:38.154Z INFO [SessionCreator] Invalid credentials in session create request. Actor: “urn:graylog:node:c30d9c45-ff92-4d7e-af84-039bb87ebf3e”
2023-08-01T23:53:05.570Z ERROR [OauthAuthServiceBackend] Unable to extract user info from JSON response
com.fasterxml.jackson.databind.exc.ValueInstantiationException: Cannot construct instance of org.graylog.plugins.security.authservice.backend.OauthUserinfo$Builder, problem: Missing required properties: email

It seems graylog is looking for the email property from the JWT and is not finding any. However, the unique_name, upn properties do contain an email address. I’ve set up an email claim on AzureAD, but it’s not being picked up by graylog. I’ve also used version 2 on accessTokenAcceptedVersion in the AzureAD app manifest as hinted by a similar thread, to no avail.

Is there a way to configure either graylog or AzureAD to trade the correct information?

Thank you!

Ubuntu 22.04, package 5.0.7-1

2

Hey @mruivo

This post looks similar to yours

3

Yes, in fact it appears to be the exact same problem, but I’m not discerning what the solution was for the fellow. Email shows up in a few areas, including preferred_username as he mentioned. Is there a way to map it so that graylog is happy?

4

Hey

I havent used AzureAD in a long time. To be honest I dont remember mapping anything. I logged in using the user email address. .

Is it posible to show your settings for AzureAD? if so make sure you remove any personal info.

5

Sure, here are all relevant settings I can think of:

Portal > Authentication

image
image1017×225 11.9 KB

image

Portal > Token configuration

image
image1626×283 15.2 KB

Portal > API Permissions

image
image1022×245 17.2 KB

Portal > Expose an API
(nothing is set on this page)

Portal > Manifest

{
	"id": "[redacted]",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": 2,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "[redacted]",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2023-05-18T17:54:37Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": "None",
	"identifierUris": [
		"api://[redacted]"
	],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": null,
	"logoutUrl": null,
	"name": "graylog",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": true,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": "user",
				"essential": true,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "email",
				"source": "user",
				"essential": true,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "email",
				"source": "user",
				"essential": true,
				"additionalProperties": []
			}
		]
	},
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "[redacted]",
			"keyId": "[redacted]",
			"startDate": "[redacted]",
			"value": null,
			"createdOn": "[redacted]",
			"hint": "[redacted]",
			"displayName": "Password uploaded on [redacted]"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "[redacted]",
	"replyUrlsWithType": [
		{
			"url": "https://[redacted]/authorization-code/callback",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "[redacted]",
			"resourceAccess": [
				{
					"id": "[redacted]",
					"type": "Scope"
				},
				{
					"id": "[redacted]",
					"type": "Scope"
				},
				{
					"id": "[redacted]",
					"type": "Scope"
				},
				{
					"id": "[redacted]",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

Thanks so much for the help, hopefully something stands out here

6

I’ve run into the same issue with our AAD - or now called Entra.
Also I had still no luck to get this working. Maybe it’s possible to use UPN instead of EMAIL for Graylog?

7

Hey friends,

I’ve still not come to a solution here. Is there anything more I can do? Gsmith, were you able to look at my settings and find something off?

I appreciate the help so far.

8

Hey @mruivo

Im sorry I did not. Ive been busy at work fixing issues.

9

Hey @gsmith

Not a problem, I appreciate any help I can get. It seems email should natually show up in the OIDC spec, but Azure AD isn’t playing nice. Adding email to optional claims should fix this, but no dice. If your setup is working, it would be great to know which claims, optional claims, and permissions you have set up, when you get the chance of course.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

11

Hi @mruivo, @oliver.dorn
Did either of you resolve this issue? I’m currently trouble-shooting the same problem.