Am Wed, Apr 30, 2025 at 10:48:11AM +0200 schrieb Anders Wittendorff:
> The timestamp shows that it does a POST to /api/oidc/token at the exact
> same time as the POST for /api/oidc/devicecode, and then gets a Apr 28
> 13:26:13 ipa-test.int.domain.net oidc_child[13187]:
> {"error_description":"Slow down","error":"slow_down"}.
> So it seems that the oidc_child never waits for but instantly tries /token
> and then stops efter the Slow down error.Hi, ok, but since this is the first round trip, this might be expected. As I mentioned earlier, there are couple of IdP which require this to start accepting the user code. May I ask what kind of IdP you are using? If I understand you correctly the ssh will now prompt your to enter the user code to the given URI. After that there should be a second run of oidc_child on the IPA server. Do you see this as well? Can you share some parts of this logs as well? bye, Sumit > > Den ons. 30. apr. 2025 kl. 10.16 skrev Sumit Bose <[email protected]>: > > > Am Wed, Apr 30, 2025 at 09:07:12AM +0200 schrieb Anders Wittendorff: > > > I have this in the logs: > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: libcurl: > > > POST > > > /api/oidc/devicecode HTTP/2 > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: libcurl: < > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: > > > > > {"user_code":"xxxx-yyyy","device_code":"xyz=","interval":5,"verification_uri_complete":"https:\/\/ > > > customer.de.auth.com > > > \/api\/oidc\/device?user_code=xxxx-yyyy","verification_uri":"https:\/\/ > > > customer.de.auth.com\/api\/oidc\/device","expires_in":300} > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: libcurl: * > > > TLSv1.2 (IN), TLS header, Unknown (23): > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: libcurl: * > > > Connection #0 to host customer.de.auth.com left intact > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: Result does > > not > > > contain the 'message' string. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: user_code: > > > [xxxx-yyyy]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: > > > verification_uri: [https://customer.de.auth.com/api/oidc/device]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: > > > verification_uri_complete: [ > > > https://customer.de.auth.com/api/oidc/device?user_code=xxxx-yyyy]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: message: > > > [(null)]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: device_code: > > > [xyz=]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: expires_in: > > > [300]. > > > Apr 28 13:26:13 ipa-test.int.domain.net oidc_child[13187]: interval: > > [5]. > > > > Hi, > > > > thanks, so the server side asks to check every 5s or less often. Can you > > check the timestamps of the access of the token endpoint? Did you by > > chance pressed enter in less than 5s after the URI var displayed in the > > ssh prompt? > > > > bye, > > Sumit > > > > > > > > Den tirs. 29. apr. 2025 kl. 16.18 skrev Sumit Bose <[email protected]>: > > > > > > > Am Mon, Apr 28, 2025 at 01:31:26PM -0000 schrieb Anders Wittendorff via > > > > FreeIPA-users: > > > > > I would have to remove a lot of data from it, is there specific > > parts of > > > > the flow you would like to see? > > > > > > > > Hi, > > > > > > > > there should be lines before the error which contain `expires_in: > > > > [SOME_VALUE].` and `interval: [%d].`. It would be good to know those > > > > value. Additionally the timestamps of the requests which were send to > > > > the token endpoint. Please note that there is already on request to the > > > > token endpoint in the first roundtrip where the device code and the URI > > > > and the one time PIN are requested. This is typically needed to make > > the > > > > IdP server waiting for the one time PIN. > > > > > > > > bye, > > > > Sumit > > > > > > > > > -- > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- [email protected] > > > > > To unsubscribe send an email to > > > > [email protected] > > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > Do not reply to spam, report it: > > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
