Azure AD B2C with Zammad

Infos:

  • Used Zammad version: 2.6.
  • Used Zammad installation source: Installation according to ubuntu tutorial
  • Operating system: ubuntu
  • Browser + version: chrome / internet explorer

Expected behavior:

  • Configuration of generic oauth security settings should enable to login via Azure AD B2C
    Settings where configured as:

Zammad app was registered and appid + password (key) entered in the configuration

Site:
https://login.microsoftonline.com

Authorization Url:
/mytenantxxx.onmicrosoft.com/oauth2/v2.0/authorize?p=mypolicy&scope=openid

Token Url:
/mytenantxxx.onmicrosoft.com/oauth2/v2.0/token

Actual behavior:

  • Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)
    /opt/zammad/app/controllers/sessions_controller.rb:169:in `failure_omniauth’

Steps to reproduce the behavior:

  • Try to configure any azure ad or azure ad b2c account

Did anybody successfully configure azure ad b2c? The same tenant is currently working with 8 different applications. I am not able to make it work with Zammad though…

You are sure that the credentials you provided are correct?

Yes, tried the same keys with different apps over and over again.

Here is my progress so far:

With my first attempt I’ve tried to use the following parameter

Then I quickly realized, that neither an option for scope nor policy is recognized by Azure AD B2C.
I got the following error:

AADSTS90014: The request body must contain the following parameter: 'scope'.

After adding the missing parameters in the authorize url field I came up with the following:
image

And regardless of user account or client(appid) / app secret, I always get
image

The user account is 100% correct (otherwise it would fail on the redirected Microsoft page).
The app key was regenerated like 10 times in different versions and combinations. The app id is correct as well.

Being kind of desperate I’ve started to compare the endpoint test url from Azure (to test these login policies) with the one generated out of Zammad’s redirect:

Zammad:
https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/authorize?client_id=bb2xxxxxxxxxx&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fxxx.onmicrosoft.com%2foauth2%2fauthresp&response_type=id_token&scope=email+openid&response_mode=query&nonce=Shwn1I5pczZuX3mioUEEYw%3d%3d&nux=1&nca=1&domain_hint=xxxx.onmicrosoft.com&mkt=en-US&lc=1033&state=StateProperties%3xxxxUQiOiJ4LW1zLWNwaW0tcmM6MDM4ZWQ5NGQtNzgwOS00MWViLTljZGItNDYzOTc1MmIyMjVjIiwiVElEIjoiZWJhMzVhMTQtNWU3OS00ZWIzLThjNjctNTRlODM1YzMwNjdlIn0

Endpoint simulation in Azure:
https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/authorize?client_id=bb2xxxxxxxxxx&redirect_uri=https%3a%2f%2fxxx.b2clogin.com%2fxxx.onmicrosoft.com%2foauth2%2fauthresp&response_type=id_token&scope=email+openid&response_mode=query&nonce=K%2fD2OnU6uX8%2bB923FpBU0Q%3d%3d&nux=1&nca=1&domain_hint=xxxx.onmicrosoft.com&prompt=login&mkt=en-US&lc=1033&state=StateProperties%3xxxxUQiOiJ4LW1zLWNwaW0tcmM6YjI0MGFmMzctYTczZC00NTkyLWFjYWMtY2Q2OTYxZTQzMGQwIiwiVElEIjoiYWQwZDQ2YzctNzM1OC00ZmQ3LTk3MWYtMjUyMDViYjc1NmU3In0

Looks alike - even changing the standard redirect uri to b2clogin of Microsoft ended up in the same way.

Any ideas?

I’ve tracked down the redirect urls:

https://xxx/auth/oauth2/callback?state=a5a12f21088d5a14dab410116ab1937e4bf5d7a23d746153&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..4gQfcr98ukDI34ch.QywpGL_EIL_-9JTVQAttRqfYDjsiSkfYDWiXpBTMosrFYZWzMWp7afDWlp2_DO8CrVIrssBTKIqymGND8gcwnaAoUxfHoseft2ppSEAhHXFeNIwQADJm53W4zyLUhM4hkIvHhezmHV90dd0O_2w4G8XCNbSZPbkvtKhp4T5vw3Yf6aunWic1ld8YIo1aDl6EaVMHCsQIKE51Wc1nvUxIe7uTUq6r9Oce7gosn38ajaNM9CApuexTeeMll50r0jT49jB_jYl24GaWq-DlwEoJl0fRztL569lNq5FPWxwl6GA5Kbm_r513mZTNGA3784WFhPkdwgh4_YYRzI5lNiYEF9HDeqMAT4CBzFtFPYa_fIq2Qh8N6Wf_mGtFahUWERBJKxW-0HT4SLkXTKK1YpIigR9eZzmgVVroyijBLo-UAA-P-7pIoX4wC0vuabAhhrb0NwG0YIPwT9VLrKuSc2Ruw9ES8Js6XFAoCC6YEyvMfl59ZjltpGSVmDqIXPVdRbLcracg1vRHtsAENv5lYpW-93k5S0fTjr9xqNfAHLjVeay7quNl.6va99VWAPhLNXkUE60Hy2w

The payload looks like this:
Header
{
“typ”: “JWT”,
“alg”: “HS256”
}
Payload
{
“jti”: “26c03df2-079c-4d1b-ba8b-8bcee57143d6”,
“iat”: 1536825189,
“exp”: 1536828789
}

@MrGeneration does this help?

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.