[Bug 2100299] Re: libapache2-mod-auth-openidc application registration key regression in Noble
Kenneth MacDonald
2100299 at bugs.launchpad.net
Wed Feb 26 17:08:19 UTC 2025
Set correct package.
** Package changed: apache2 (Ubuntu) => libapache2-mod-auth-openidc
(Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2100299
Title:
libapache2-mod-auth-openidc application registration key regression in
Noble
Status in libapache2-mod-auth-openidc package in Ubuntu:
New
Bug description:
Description: Ubuntu 24.04.2 LTS
I upgraded a web server from Jammy to Noble and it cannot authenticate
against MS Entra ID due to a regression in handling the application
registration private key that upstream introduced between the to
packaged versions in Ubuntu.
Jammy: libapache2-mod-auth-openidc-2.4.11-1
Noble: libapache2-mod-auth-openidc-2.4.15.1-1build3
From
https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4 ...
* add the missing copy of the "x5t" claim in oidc_jwk_copy, which
broke private_key_jwt authentication to Microsoft Entra ID / Azure AD
since 2.4.13
The relevant part of my Apache configuration is ...
OIDCPublicKeyFiles /etc/ssl/certs/entra-id.crt
OIDCPrivateKeyFiles /etc/ssl/private/entra-id.key
OIDCProviderTokenEndpointAuth private_key_jwt
Users can log in to this website via MS Entra ID on Jammy, but on
Noble the website returns an error to the user and this (redacted) in
the logs ...
[Wed Feb 26 15:32:09.726271 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_che
ck_json_error: response contained an "error" entry with value: ""invalid_client""
[Wed Feb 26 15:32:09.726646 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '****'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/****']. Trace ID: **** Correlation ID: **** Timestamp: 2025-02-26 15:32:09Z""
I see that Plucky has a new enough version packaged to fix this
regression (https://launchpad.net/ubuntu/+source/libapache2-mod-auth-
openidc/2.4.16.8-1) and when I installed that package from
https://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-
auth-openidc/libapache2-mod-auth-openidc_2.4.16.8-1_amd64.deb it
worked on my Noble server, allowing users to log in again.
Are you able to back port the Plucky version to Noble?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2100299/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list