Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID-Connect stops working after Microsoft signing key rollover #1231

Open
plevan74 opened this issue Sep 11, 2024 · 4 comments
Open

OpenID-Connect stops working after Microsoft signing key rollover #1231

plevan74 opened this issue Sep 11, 2024 · 4 comments

Comments

@plevan74
Copy link

We have our instance of Krill configured for OpenID-Connect with login.microsoftonline.com.

Every now and then we get in a situation where authentication with login.microsoftonline.com completes but Krill sends us back to the login page. We get log entries like the following one when that happens:

Sep 11 11:24:00 SERVERNAME krill[2943457]: 2024-09-11 11:24:00 [WARN] [krill::daemon::auth::providers::openid_connect::provider] OpenID Connect: ID token verification failed: Signature verification failed [additional info: caused by: Signature verification failed, caused by: No matching key found]

If we restart Krill, we are always able to login again immediately after the restart and for a (usually long) while thereafter.

I found the following information from Microsoft which leads me to think that Krill may be caching the signing key(s) upon startup and then verification starts failing after Microsoft has aged out all the keys that Krill knew about.

https://learn.microsoft.com/en-us/entra/identity-platform/signing-key-rollover

There should probably be a way for Krill to refresh the list of keys.
@partim
Copy link
Member

partim commented Sep 12, 2024

Thank you for the report!

We discovered the same issue a while back with our own setup and fixed it in #1226. Because the code is currently in a bit of flux, I don’t want to make a new release just yet. However, depending on how annoying this is for you, we could backport it to the 0.14 branch and make a release there.

However, while I have you here, I’d like to ask you how much of Krill’s multiuser functionality you are using. Are you using OpenID just for login or also to centrally set access permissions for individual users possibly even for individual CAs? We are currently trying to simplify the authentication code quite a bit but don’t want to use features that are actually used.

@plevan74
Copy link
Author

Thank you for the information about an upcoming fix.

To answer your question, we started using OpenID for authentication and then found that we could use the group membership facts to assign access levels too so we're now using it for authorization too. This is all for a single CA.

@partim
Copy link
Member

partim commented Sep 30, 2024

Apologies for the long silence – I was away for a bit of vacation.

I wrote a proposal for a simplified configuration a while back in #1229. I think you are basically using the method shown in the example there? Could you confirm that this proposal would work for you?

@plevan74
Copy link
Author

plevan74 commented Oct 25, 2024
edited
Loading

Hello, sorry this fell off my radar screen for a while. After reading #1229, I think it would cover our use case and I like the proposed new syntax.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@partim @plevan74