-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AzureAD] fix broken AzureAD integration #795
Conversation
As it might be a bit hard to follow the thought process behind the refactoring, I've reiterated the changes and created a separate branch to illustrate the way of this refactoring. I didn't want to push hundreds of minor commits, so only pushed a proper merge. Feel free to have a look at the details, if that helps to understand the huge change: |
I tried your v2.34.0-patch.1. I no longer receive the error I was getting but now receive: invalid character 'h' looking for beginning of value |
@theemethod would you be able to give a bit more context, like an anonymized verbose run? my run, with MFA and ADFS path currently looks like:
I got a similar run for a non ADFS flow and also without MFA .. and I remember a conditional run via VPN also went fine. The only issue we faced at our company was an error out of mixing tenant and app IDs. |
@christianmeyer Sure. I'm using Windows 10. You can ignore the cache errors. I was trying to figure out how to get the raw output that is failing. Not sure if that is possible though.
|
@theemethod I was able to reproduce the error output under some MFA circumstances and patched it (MS seems kinda creative with their interruptions in the flow). Can you check if my |
Thanks for the update. Unfortunately, the error output seems to be the same. This is a new testing tenant so there are no CA policies and MFA is disabled. I was able to get the raw output. Would any of that be useful? |
@theemethod I've tested it against a brand new AzureAD setup after your feedback and disabled all Security Defaults to get down to the bare minimum flow, and it still works. |
@christianmeyer So I tested in our production tenant and everything works. We are currently federated with ADFS and I also have an account configured for our staged rollout to password hash sync. Both accounts worked just fine. One difference is that our staging tenant uses our @*.onmicrosoft.com userprincipalname. I can't easily change this, at least not right now. I can come back to the staging tenant issue in a few days once I finish this production update. Thank you for your assistance. |
Given the exceptions introduced as part of this discussions, I've refactored the code again, to isolate them in the thought to be somehow linear authentication flow. The AzureAD authentication flow varies a lot, dependent on the security settings within AzureAD thus can have KMSI interrupts at felt random spots, same goes for (non) MFA flows. |
Does this also solves issue with idp url error if the tenant is in other directory? |
Is there any update on merging this? Any support needed? |
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## master #795 +/- ##
==========================================
+ Coverage 27.88% 31.70% +3.81%
==========================================
Files 52 52
Lines 7379 7463 +84
==========================================
+ Hits 2058 2366 +308
+ Misses 5069 4787 -282
- Partials 252 310 +58
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
I will merge this tomorrow |
Hi guys, when is the version bump (to v2.36.6) expected? |
Definitely this week. Bare with me as I clear out time to release
(apologies for the delay).
…On Mon, Mar 27, 2023 at 22:42, realtimerick ***@***.***> wrote:
Hi guys, when is the version bump (to v2.36.6) expected?
—
Reply to this email directly, view it on GitHub
<#795 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGQV5PE57LDOB7XA3CKOHTW6GDK7ANCNFSM5RPM7Y3Q>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
I fixed the AzureAD integration.
The refactored code should support native logins and ADFS federated logins.
I tried to incorporate all existing edge cases, but could not test all of them.