[Bug 2100299] [NEW] libapache2-mod-auth-openidc application registration key regression in Noble
Launchpad Bug Tracker
2100299 at bugs.launchpad.net
Wed Feb 26 17:08:22 UTC 2025
You have been subscribed to a public bug:
Description: Ubuntu 24.04.2 LTS
I upgraded a web server from Jammy to Noble and it cannot authenticate
against MS Entra ID due to a regression in handling the application
registration private key that upstream introduced between the to
packaged versions in Ubuntu.
Jammy: libapache2-mod-auth-openidc-2.4.11-1
Noble: libapache2-mod-auth-openidc-2.4.15.1-1build3
>From https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4
...
* add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke
private_key_jwt authentication to Microsoft Entra ID / Azure AD since
2.4.13
The relevant part of my Apache configuration is ...
OIDCPublicKeyFiles /etc/ssl/certs/entra-id.crt
OIDCPrivateKeyFiles /etc/ssl/private/entra-id.key
OIDCProviderTokenEndpointAuth private_key_jwt
Users can log in to this website via MS Entra ID on Jammy, but on Noble
the website returns an error to the user and this (redacted) in the logs
...
[Wed Feb 26 15:32:09.726271 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_che
ck_json_error: response contained an "error" entry with value: ""invalid_client""
[Wed Feb 26 15:32:09.726646 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '****'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/****']. Trace ID: **** Correlation ID: **** Timestamp: 2025-02-26 15:32:09Z""
I see that Plucky has a new enough version packaged to fix this
regression (https://launchpad.net/ubuntu/+source/libapache2-mod-auth-
openidc/2.4.16.8-1) and when I installed that package from
https://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-
auth-openidc/libapache2-mod-auth-openidc_2.4.16.8-1_amd64.deb it worked
on my Noble server, allowing users to log in again.
Are you able to back port the Plucky version to Noble?
** Affects: libapache2-mod-auth-openidc (Ubuntu)
Importance: Undecided
Status: New
--
libapache2-mod-auth-openidc application registration key regression in Noble
https://bugs.launchpad.net/bugs/2100299
You received this bug notification because you are a member of Ubuntu OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
More information about the Ubuntu-openstack-bugs
mailing list