@Alex, I already solved an issue. Everything is OK with freeipa, problem was in Azure and my user. I discovered that I didn't provide you a full logtrace, look:
--- Jan 19 12:43:54 server.ipademo.local systemd[1]: Started [email protected] - ipa-otpd service (PID 9209/UID 0). Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: LDAP: ldapi://%2Frun%2Fslapd-IPADEMO-LOCAL.socket Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: request received Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: user query start Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: user query end: uid=testuser1,cn=users,cn=accounts,dc=ipademo,dc=local Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: idp query start: cn=ad,cn=idp,dc=ipademo,dc=local Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: idp query end: ad Jan 19 12:43:54 server.ipademo.local ipa-otpd[10326]: [email protected]: oauth2 start: Get access token Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: oidc_child started. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Running with effective IDs: [0][0]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Running with real IDs [0][0]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: JSON device code: [{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA","expires_in":900,"interval":5}]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the 'user_code' string. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the 'verification_uri' string. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the 'verification_url' string. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the 'verification_uri_complete' string. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: Result does not contain the 'message' string. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: device_code: [FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: expires_in: [900]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: interval: [5]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: POST data: [grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=FAQABAAEAAAD--DLA3VO7QrddgJg7WevrVeGTrifPi7MvhMsbZHElEAep-RrQ6ugCw9azyKQ1SbtERj45feztBm3_bYlJdeRxnNH7MizhIRptjHjtfhX2E5-ku1p8gadDd-HrO_AF-OVokpIZMUHJuxTGlOB8HIMB20zkDAGmNPZ2paXbOsXEswTifEesP2Qnqpb9o_rUnw8gAA]. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Trying 20.190.151.134:443... Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connected to login.microsoftonline.com (20.190.151.134) port 443 (#0) Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CAfile: /etc/pki/tls/certs/ca-bundle.crt Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Certificate (11): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Server key exchange (12): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Server finished (14): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Finished (20): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS handshake, Finished (20): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Finished (20): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Finished (20): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not agree on a protocol. Uses default. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate: Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=stamp2.login.microsoftonline.com Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * start date: Nov 23 00:00:00 2022 GMT Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Nov 23 23:59:59 2023 GMT Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host "login.microsoftonline.com" matched cert's "login.microsoftonline.com" Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify ok. Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: > POST /XXXXX.io/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com User-Agent: SSSD oidc_child/0.0 Accept: application/json Content-Length: 322 Content-Type: application/x-www-form-urlencoded Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not supporting multiuse Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Cache-Control: no-store, no-cache Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Pragma: no-cache Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type: application/json; charset=utf-8 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Expires: -1 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Strict-Transport-Security: max-age=31536000; includeSubDomains Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < X-Content-Type-Options: nosniff Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-request-id: 3066bf60-3735-4944-b6d9-2358a30fd200 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ests-server: 2.1.14357.8 - EUS ProdSlices Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < X-XSS-Protection: 0 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: fpc=Am0BIXEAbqpOvjxw0yOzSA8uBob9AQAAAPojW9sOAAAA; expires=Sat, 18-Feb-2023 11:43:54 GMT; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan 2023 11:43:54 GMT Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Content-Length: 3394 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: < Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: {"token_type":"Bearer","scope":"email openid profile","expires_in":3788,"ext_expires_in":3788,"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wM> Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host login.microsoftonline.com left intact Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: access_token: [eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI4MzM0LCJuYmYiOjE2NzQxMjgzMzQs> Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: id_token: [eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJjYmMwYmNkZS0zZTU1LTRiMTItOTkxNi1iZGRhMGI3MDY5NTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMDAxMGEyODktY2Y3MS00YjNlLWFlNTItNWY5OTc4ZjA1NDM5L3YyLjAiLCJpYXQiOjE2NzQxMjgzMzQsIm5iZiI6MTY3NDEyODMzNCwiZXhwIjoxNjc0MTMyMjM0LCJhaW8iOiJBV1FBbS84VEFBQUE5YlJhcThUY1JON0hjNXdCRThKUG02eHZ4TGJxai9KcWF6UVVVbzJtTnVM> Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Trying 20.190.151.7:443... Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * Connected to login.microsoftonline.com (20.190.151.7) port 443 (#0) Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1 Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CAfile: /etc/pki/tls/certs/ca-bundle.crt Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Certificate (11): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Server key exchange (12): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Server finished (14): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Finished (20): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:54 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS handshake, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS handshake, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not agree on a protocol. Uses default. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate: Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=stamp2.login.microsoftonline.com Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * start date: Nov 23 00:00:00 2022 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Nov 23 23:59:59 2023 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host "login.microsoftonline.com" matched cert's "login.microsoftonline.com" Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify ok. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: > GET /common/discovery/v2.0/keys HTTP/1.1 Host: login.microsoftonline.com User-Agent: SSSD oidc_child/0.0 Accept: application/json Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not supporting multiuse Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Cache-Control: max-age=86400, private Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type: application/json; charset=utf-8 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Strict-Transport-Security: max-age=31536000; includeSubDomains Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < X-Content-Type-Options: nosniff Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Access-Control-Allow-Origin: * Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Access-Control-Allow-Methods: GET, OPTIONS Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-request-id: 1b6d0b1b-3ec5-4d5b-ace6-3fb5fb490a01 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ests-server: 2.1.14357.8 - NCUS ProdSlices Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < X-XSS-Protection: 0 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: fpc=Arysj0mnaIxNmRexcn_Agxk; expires=Sat, 18-Feb-2023 11:43:55 GMT; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevr2Ih4HkrILZKdufDCKOMkFqEL0ipHQO_KJOjytL4Bekhn2JvMua7p3etqUulUwiz0nwPNeEPX-Urk7xBfrp7vgRUg6D4k_ngUwN7Is2WLeh8APXj3VzEtzqEDj2WDMHnmnhebwpt8jfKon5jHazAfLOqTnP4xkB_20xRxEPwv3Y8gAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan 2023 11:43:55 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Length: 15922 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: {"keys":[{"kty":"RSA","use":"sig","kid":"nOo3ZDrODXEK1jKWhXslHR_KXEg","x5t":"nOo3ZDrODXEK1jKWhXslHR_KXEg","n":"oaLLT9hkcSj2tGfZsjbu7Xz1Krs0qEicXPmEsJKOBQHauZ_kRM1HdEkgOJbUznUspE6xOuOSXjlzErqBxXAu4SCvcvVOCYG2v9G3-uIrLF5dstD0sYHBo1VomtKxzF90Vslrkn6rNQgUGIWgvuQTxm1uRklYFPEcTIRw0LnYknzJ06GC9ljKR617wABVrZNkBuDgQKj37qcyxoaxIGdxEcmVFZXJyrxDgdXh9owRmZn6LIJlGjZ9m59emfuwnBnsIQG7DirJwe9SXrLXnexRQWqyzCdkYaOqkpKrsjuxUj2-MHX31Fqsd> Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: ETnF8TctGU87R4N9YxmNWoIwWQYDVR0jBFIwUIAU57BsETnF8TctGU87R4N9YxmNWoKhLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAN2X7t+ckntxMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAcsk+LGlTzSQdnh3mtCBMNCGZCiTYvFcqenwjDf1/c4U+Yi7fxYmAXm7wVLX+GVMxpLPpzMuVOXztGoPMUgWH59CFWhsMvZbIUKsd8xbEKmls1ZIgxRYdagcWTGeBET6XIoF6Ba57BhRCxFPslhIpg27/HnfHtTdGfjRpafNbBYvC/9PL/s2E9U4AklpUn2W19UiJLRFgXGPjYPLW0j1Od0qzHHJ84saclVwvuOrp> Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host login.microsoftonline.com left intact Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to verify access_token. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Trying 20.190.130.40:443... Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connected to graph.microsoft.com (20.190.130.40) port 443 (#0) Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers h2 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: offers http/1.1 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * CAfile: /etc/pki/tls/certs/ca-bundle.crt Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * CApath: none Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.0 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Certificate (11): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, CERT verify (15): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (OUT), TLS handshake, Finished (20): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * ALPN: server did not agree on a protocol. Uses default. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server certificate: Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=graph.microsoft.com Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * start date: Jul 11 21:23:10 2022 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * expire date: Jul 6 21:23:10 2023 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * subjectAltName: host "graph.microsoft.com" matched cert's "graph.microsoft.com" Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 02 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * SSL certificate verify ok. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Server auth using Bearer with user '' Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: > GET /oidc/userinfo HTTP/1.1 Host: graph.microsoft.com Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InNBcDNncTBJZ096MF9jd1dsM0tfcmNicERKNm9aTVgtS25LU2lTVE1LejQiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wMDEwYTI4OS1jZjcxLTRiM2UtYWU1Mi01Zjk5NzhmMDU0MzkvIiwiaWF0IjoxNjc0MTI4MzM0LCJuYmYiOjE2NzQxM> User-Agent: SSSD oidc_child/0.0 Accept: application/json Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Mark bundle as not supporting multiuse Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < HTTP/1.1 200 OK Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Transfer-Encoding: chunked Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Content-Type: application/json Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Strict-Transport-Security: max-age=31536000 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < request-id: 46f7c178-9ffa-4001-acfc-3fa517ada9c7 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < client-request-id: 46f7c178-9ffa-4001-acfc-3fa517ada9c7 Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL4PEPF000001C9"}} Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Date: Thu, 19 Jan 2023 11:43:55 GMT Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: < Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: {"sub":"KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU","name":"Sebastian XXXXX","family_name":"XXXXX","given_name":"Sebastian","picture":"https://graph.microsoft.com/v1.0/me/photo/$value"} Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: libcurl: * Connection #0 to host graph.microsoft.com left intact Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: access_token payload: [{"aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/0010a289-cf71-4b3e-ae52-5f9978f05439/";, "iat": 1674128334, "nbf": 1674128334, "exp": 1674132423, "acct": 0, "acr": "1", "aio": "AVQAq/8TAAAApKIln8F3TeHUUgda0lh8tzLnmU23I1JnsqsyaZVgaIReMccUUvk2TAxBWyqmQuh9vmngby/bH1cMvJdkO82C9eU7P309iW4U3sApKNrYMtk=", "amr": ["pwd", "mfa"], "app_displayname": "free-ipa", "appid": "cb> Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User Principal: [[email protected]]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User oid: [df1e0f52-2e6b-4964-a359-f650500b822b]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User sub: [sRvW5pJWRedxM3tEgOAo7tOH8LSG6Aw_IbDX91-o7dk]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: id_token payload: [{"aud": "cbc0bcde-3e55-4b12-9916-bdda0b706953", "iss": "https://login.microsoftonline.com/0010a289-cf71-4b3e-ae52-5f9978f05439/v2.0";, "iat": 1674128334, "nbf": 1674128334, "exp": 1674132234, "aio": "AWQAm/8TAAAA9bRaq8TcRN7Hc5wBE8JPm6xvxLbqj/JqazQUUo2mNuL1c6x6f0X9+ZUTokEVfNVDnnoPEt77phP2A3WQRrEU0/Qe256Heht98S4Qa1e61elB65DAstw9a14fycDGtwFV", "rh": "0.ATUAiaIQAHHPPkuuUl-ZePBUOd68wMtVPhJLmRa92gtwaVM1AD> Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User Principal: [(null)]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User oid: [(null)]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: User sub: [KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: userinfo: [{"sub": "KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU", "name": "Sebastian XXXXX", "family_name": "XXXXX", "given_name": "Sebastian", "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"}]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to read attribute [email] from userinfo data. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: No attribute to identify the user found. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to get user identifier. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: oidc_child failed! Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: [email protected]: Received: [] Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: [email protected]: Failed to check access token reply. Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: oauth2.c:088: Child finished with status [1]. Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: [email protected]: sent: 0 data: 20 Jan 19 12:43:55 server.ipademo.local systemd[1]: /usr/lib/systemd/system/[email protected]:10: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: [email protected]: ..sent: 20 data: 20 Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: [email protected]: response sent: Access-Reject Jan 19 12:43:55 server.ipademo.local ipa-otpd[10326]: Socket closed, shutting down... Jan 19 12:43:55 server.ipademo.local systemd[1]: Started [email protected] - ipa-otpd service (PID 9209/UID 0). Jan 19 12:43:55 server.ipademo.local systemd[1]: [email protected]: Deactivated successfully. Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: LDAP: ldapi://%2Frun%2Fslapd-IPADEMO-LOCAL.socket Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: request received Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: user query start Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: user query end: uid=testuser1,cn=users,cn=accounts,dc=ipademo,dc=local Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: idp query start: cn=ad,cn=idp,dc=ipademo,dc=local Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: idp query end: ad Jan 19 12:43:55 server.ipademo.local ipa-otpd[10331]: [email protected]: oauth2 start: Get device code Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: oidc_child started. Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: Running with effective IDs: [0][0]. Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: Running with real IDs [0][0]. Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: POST data: [client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&scope=openid%20email]. Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * Trying 20.190.151.67:443... Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * Connected to login.microsoftonline.com (20.190.151.67) port 443 (#0) Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers h2 Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers http/1.1 Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * CAfile: /etc/pki/tls/certs/ca-bundle.crt Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * CApath: none Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.0 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:55 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Certificate (11): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Server key exchange (12): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Server finished (14): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS handshake, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: server did not agree on a protocol. Uses default. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Server certificate: Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=stamp2.login.microsoftonline.com Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * start date: Nov 23 00:00:00 2022 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * expire date: Nov 23 23:59:59 2023 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subjectAltName: host "login.microsoftonline.com" matched cert's "login.microsoftonline.com" Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL certificate verify ok. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: > POST /XXXXX.io/oauth2/v2.0/devicecode HTTP/1.1 Host: login.microsoftonline.com User-Agent: SSSD oidc_child/0.0 Accept: application/json Content-Length: 67 Content-Type: application/x-www-form-urlencoded Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Mark bundle as not supporting multiuse Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < HTTP/1.1 200 OK Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Cache-Control: no-store, no-cache Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Pragma: no-cache Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Type: application/json; charset=utf-8 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Expires: -1 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Strict-Transport-Security: max-age=31536000; includeSubDomains Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-Content-Type-Options: nosniff Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-request-id: 87944eb0-53d5-43ad-a0c0-3141ba791801 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-ests-server: 2.1.14357.8 - WUS2 ProdSlices Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-XSS-Protection: 0 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: fpc=At8Y02i5S9hDrVIieqUMBAxFIKkQAQAAAPsjW9sOAAAA; expires=Sat, 18-Feb-2023 11:43:56 GMT; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7Wevrq2TIFXGtf8VDx-wy3moL6Ds0P-yS0mbtrMDWTEdSXpnUcHMKHcX0fS3ruZ6ZbExpDfasPDY2GTEYOvAElE4MTSZ36WJskz4Q_1PPWw7nl6F2TTBgk_GCf_Wl_5B7FFrekNeGF0pLat2Fb_ZUXVFDuEFHlw4-DanomQcHmzm25P0gAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Date: Thu, 19 Jan 2023 11:43:55 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Length: 473 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: {"user_code":"R33ETTH5G","device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA","verification_uri":"https://microsoft.com/devicelogin","expires_in":900,"interval":5,"message":"To sign in, use a web browser to open the page https://microsoft.com/device> Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connection #0 to host login.microsoftonline.com left intact Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: Result does not contain the 'verification_uri_complete' string. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: user_code: [R33ETTH5G]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: verification_uri: [https://microsoft.com/devicelogin]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: verification_uri_complete: [-]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: message: [To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code R33ETTH5G to authenticate.]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: device_code: [RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: expires_in: [900]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: interval: [5]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: POST data: [grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=cbc0bcde-3e55-4b12-9916-bdda0b706953&device_code=RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA]. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Trying 20.190.151.9:443... Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connected to login.microsoftonline.com (20.190.151.9) port 443 (#0) Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers h2 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: offers http/1.1 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * CAfile: /etc/pki/tls/certs/ca-bundle.crt Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * CApath: none Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.0 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (OUT), TLS handshake, Client hello (1): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.3 (IN), TLS handshake, Server hello (2): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Certificate (11): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Server key exchange (12): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Server finished (14): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS handshake, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Certificate Status (22): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS handshake, Finished (20): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * ALPN: server did not agree on a protocol. Uses default. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Server certificate: Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=stamp2.login.microsoftonline.com Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * start date: Nov 23 00:00:00 2022 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * expire date: Nov 23 23:59:59 2023 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * subjectAltName: host "login.microsoftonline.com" matched cert's "login.microsoftonline.com" Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * SSL certificate verify ok. Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (OUT), TLS header, Supplemental data (23): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: > POST /XXXXX.io/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com User-Agent: SSSD oidc_child/0.0 Accept: application/json Content-Length: 322 Content-Type: application/x-www-form-urlencoded Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * TLSv1.2 (IN), TLS header, Supplemental data (23): Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Mark bundle as not supporting multiuse Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < HTTP/1.1 400 Bad Request Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Cache-Control: no-store, no-cache Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Pragma: no-cache Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Type: application/json; charset=utf-8 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Expires: -1 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Strict-Transport-Security: max-age=31536000; includeSubDomains Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-Content-Type-Options: nosniff Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-request-id: a705ec7d-b8c2-4dd0-ab65-02aab5c03501 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < x-ms-ests-server: 2.1.14357.8 - NCUS ProdSlices Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < X-XSS-Protection: 0 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: fpc=AnhC60lvKVNGu2tHSa_e-eI; expires=Sat, 18-Feb-2023 11:43:56 GMT; path=/; secure; HttpOnly; SameSite=None Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Date: Thu, 19 Jan 2023 11:43:55 GMT Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Content-Length: 510 Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: < Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: {"error":"authorization_pending","error_description":"AADSTS70016: OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID: a705ec7d-b8c2-4dd0-ab65-02aab5c03501\r\nCorrelation ID: c9302003-2381-4244-bf1c-57b8ca28c908\r\nTimestamp: 2023-01-19 11:43:56Z","error_codes":[70016],"timestamp":"2023-01-19 11:43:56Z","trace_id":"a705ec7d-b8c2-4dd0-ab65-02aab5c03501","correlation_id":"c9302003-2381> Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: libcurl: * Connection #0 to host login.microsoftonline.com left intact Jan 19 12:43:56 server.ipademo.local oidc_child[10333]: oidc_child finished successful! Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: [email protected]: Received: [{"device_code":"RAQABAAEAAAD--DLA3VO7QrddgJg7WevrOJG3ajvhUG4cDhc-l3tniyv54PEfenfmBtB1POSei6hEC3TQLyKowO89sKjXSAzc9jE5Zy9DFQ0gQ9FAePlVt7gtWYY_au8Vm03gsq-ufVOZwpNV4wxVDNy9qOe_ErIoLDB7xNJ4btgAwUMUXdJth22shXU74vpFw-fmSoXK-PIgAA","expires_in":900,"interval":5} Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: oauth2 {"verification_uri": "https://microsoft.com/devicelogin";, "user_code": "R33ETTH5G"} Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: ] Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: oauth2.c:088: Child finished with status [0]. Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: [email protected]: sent: 0 data: 371 Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: [email protected]: ..sent: 371 data: 371 Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: [email protected]: response sent: Access-Challenge Jan 19 12:43:56 server.ipademo.local ipa-otpd[10331]: Socket closed, shutting down... Jan 19 12:43:56 server.ipademo.local systemd[1]: [email protected]: Deactivated successfully. --- the important part is here: --- Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: userinfo: [{"sub": "KMO6l3C0F39e2ZO28BcGo7Aqx3kT1JCrDwh287mXWqU", "name": "Sebastian XXXXX", "family_name": "XXXXX", "given_name": "Sebastian", "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"}]. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to read attribute [email] from userinfo data. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: No attribute to identify the user found. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: Failed to get user identifier. Jan 19 12:43:55 server.ipademo.local oidc_child[10327]: oidc_child failed! ---- as I discovered I didn't provide in my user email attribute in Azure AD, which seems to be odd for me as it is not an required field,but once I provided it in Azure eeverything started working again. So that very important step in whole process of configuration. I was confused by the oidc_behaviour which runs whole flow again with new Device code and then gives us HTTP/1.1 400 Bad Request, I didn't check the prvious logs as I thought that was the start of the request, then I look on timestamps and I realized there is much more before this second attempt. So it looks like flow was that 1 prompt with device ID 2. authorization with my azure ad account 3. get an error from azure as lack of email attribute in userinfo 4. another posts are made with diffrent device id which are not prompted in commandline 5 error 400 bad request from the 4 not from 3 step Thank you all for your help. For now this case for me solved, right now I will get another deep dive to configure other stuff. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
