[Freeipa-users] freeIPA 4.10.1 - Oauth2.0 with Azure AD

Morning All, I'm trying to do almost the same as it was demoed here: https://www.youtube.com/watch?v=NorXJN3tw3Q&themeRefresh=1 [Break ice or don't login twice: FreeIPA and OAuth 2.0]. In particular I'm trying to let authorize linux ussers (ssh) with OAuth2.0 Azure AD. I already registered new app in Azure AD (so I have new Client ID), then I add new idp like it was described here: https://freeipa.readthedocs.io/en/latest/designs/external-idp/idp-api.htm... and https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.... I created new user and attached him to AD idp. Sadly I have some issues with make whole thing work. I run for this on clean fedora 37 OS: --- [root@ipa2 log]# cat /etc/fedora-release Fedora release 37 (Thirty Seven) --- I installed freeipa-server in version 4.10.1: --- [root@ipa2 log]# ipa --version VERSION: 4.10.1, API_VERSION: 2.251 --- and all components seems to be working: --- [root@ipa2 log]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful --- However when im trying to do: --- [root@ipa2 ~]# kinit -T ./fast.ccache testuser2 Authenticate with PIN RJ4TEQ3KW at https://microsoft.com/devicelogin and press ENTER.: kinit: Preauthentication failed while getting initial credentials --- of course the link provided in commandilne is valid and i can proceed with the authorization with no issues and get SUCCESS at the end, however for freeipa the response is always the same: [kinit: Preauthentication failed while getting initial credentials.] I already noticed that the error occurs almost immiadetely after running [ kinit -T ./fast.ccache testuser2 ], so freeipa is not even waiting for me to log on https://microsoft.com/devicelogin website: I see in journactl such flow: --- [root@ipa2 log]# journalctl --follow /usr/libexec/ipa/ipa-otpd Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): idp query end: ad Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): oauth2 start: Get device code Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): Received: [{"device_code":"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr7iawpzAIiCTXDx5OKQCTvg3u_0IfN7car7U1-ErltsJ_HqupRB-wsm-ls_tCZYc3Z98zG-jVx_xXmZ7oIg5LkxswyAJocRVtTygHdN9sDrHb9lhfGYSZPizy0hEMKGHfhgPaiDtnW3muH-izoWktC_PXqqgJC08d2apcLI8RK6YgAA","expires_in":900,"interval":5} Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2 {"verification_uri": "https://microsoft.com/devicelogin", "user_code": "EWVEHBCR6"} Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: ] Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): sent: 0 data: 371 Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): ..sent: 371 data: 371 Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2.c:088: Child finished with status [0]. Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: Socket closed, shutting down... --- [Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge] - I have an impression that request is ended almost in the same second when it starts. In messages logs: --- Jan 18 15:13:42 ipa2 systemd[1]: /usr/lib/systemd/system/ipa-otpd@.service:10: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. Jan 18 15:13:42 ipa2 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 18 15:13:42 ipa2 systemd[1]: Started ipa-otpd(a)19-1182-0.service - ipa-otpd service (PID 1182/UID 0). Jan 18 15:13:42 ipa2 ipa-otpd[2840]: LDAP: ldapi://%2Frun%2Fslapd-(MY DOMAIN HERE).socket Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): request received Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query start Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query end: uid=testuser1,cn=users,cn=accounts,dc=tribecloud,dc=io Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query start: cn=ad,cn=idp,dc=tribecloud,dc=io Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query end: ad Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): oauth2 start: Get device code Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): Received: [{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7Wevr9pXKAjhGk35vFXJUS2CnmQ0ASimeHG_O_I9Ws_CW4GVxOBdb_80yKD2giSQ4SE9PzYEEuCYhzsq70plMMb8XQzgVbYUhe-Mfa85Zb96X8eUAD1PLRh6zO_2i5EMA_hsFXyhC-QDO_uOA64QsoHOFHP5C-FQTbaAYegdUiRlMWj4gAA","expires_in":900,"interval":5} Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2 {"verification_uri": "https://microsoft.com/devicelogin", "user_code": "FW5GFFLMH"} Jan 18 15:13:43 ipa2 ipa-otpd[2840]: ] Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): sent: 0 data: 371 Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): ..sent: 371 data: 371 Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2.c:088: Child finished with status [0]. Jan 18 15:13:43 ipa2 ipa-otpd[2840]: Socket closed, shutting down... Jan 18 15:13:43 ipa2 systemd[1]: ipa-otpd(a)19-1182-0.service: Deactivated successfully. Jan 18 15:13:43 ipa2 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' --- User configuration: --- [root@ipa2 log]# ipa user-show testuser2 User login: testuser2 First name: Test Last name: User2 Home directory: /home/testuser2 Login shell: /bin/bash Principal name: testuser2@(MY DOMAIN HERE) Principal alias: testuser2@(MY DOMAIN HERE) Email address: testuser2@(MY DOMAIN HERE) UID: 608800004 GID: 608800004 User authentication types: idp External IdP configuration: ad External IdP user identifier: john@(MY DOMAIN HERE) Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False --- idp config: --- [root@ipa2 log]# ipa idp-show ad Identity Provider server name: ad Authorization URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/authorize Device authorization URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/devicecode Token URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/token User info URI: https://graph.microsoft.com/oidc/userinfo JWKS URI: https://login.microsoftonline.com/common/discovery/v2.0/keys Client identifier: (MY client ID Here) Scope: openid email External IdP user identifier attribute: email --- I couldn't figure out what is going on, do you have any ideas, advices how I can solve that and let me to use OAuth with Azure AD? Best regards John