Its very strange. I have it working on my side on PF 10.3 and after giving admin consent it worked well.
but looking in more detail, its weird that the sprite.svg is redirecting BACK to the microsoft portal? that should not be happening... (I think) in which log are you seeing this specific error? by the way, just to help (I hope) this is my authentication.conf file: [azureAD] create_local_account=no *client_secret=<my_client_secret>* password_length=8 access_token_path=token authorize_path=authorize set_access_durations_action= protected_resource_url=*https://graph.microsoft.com/beta/me/ <https://graph.microsoft.com/beta/me/>* scope=openid profile email phone address local_account_logins=0 client_id=<client_id> username_attribute=mail description=Usuarios Esquiu Microsoft *domains=*.msappproxy.net <http://msappproxy.net>,account.activedirectory.windowsazure.com <http://account.activedirectory.windowsazure.com>,accounts.accesscontrol.windows.net <http://accounts.accesscontrol.windows.net>,adminwebservice.microsoftonline.com <http://adminwebservice.microsoftonline.com>,api.login.microsoftonline.com <http://api.login.microsoftonline.com>,api.passwordreset.microsoftonline.com <http://api.passwordreset.microsoftonline.com>,autologon.microsoftazuread-sso.com <http://autologon.microsoftazuread-sso.com>,becws.microsoftonline.com <http://becws.microsoftonline.com>,clientconfig.microsoftonline-p.net <http://clientconfig.microsoftonline-p.net>,companymanager.microsoftonline.com <http://companymanager.microsoftonline.com>,device.login.microsoftonline.com <http://device.login.microsoftonline.com>,graph.microsoft.com <http://graph.microsoft.com>,graph.windows.net <http://graph.windows.net>,hip.microsoftonline-p.net <http://hip.microsoftonline-p.net>,hipservice.microsoftonline.com <http://hipservice.microsoftonline.com>,login.microsoft.com <http://login.microsoft.com>,login.microsoftonline.com <http://login.microsoftonline.com>,login.microsoftonline-p.com <http://login.microsoftonline-p.com>,login.windows.net <http://login.windows.net>,logincert.microsoftonline.com <http://logincert.microsoftonline.com>,loginex.microsoftonline.com <http://loginex.microsoftonline.com>,login-us.microsoftonline.com <http://login-us.microsoftonline.com>,nexus.microsoftonline-p.com <http://nexus.microsoftonline-p.com>,passwordreset.microsoftonline.com <http://passwordreset.microsoftonline.com>,provisioningapi.microsoftonline.com <http://provisioningapi.microsoftonline.com>,*.adhybridhealth.azure.com <http://adhybridhealth.azure.com>,*.blob.core.windows.net <http://blob.core.windows.net>,*.microsoftonline.com <http://microsoftonline.com>,*.microsoftonline-p.com <http://microsoftonline-p.com>,*.microsoftonline-p.net <http://microsoftonline-p.net>,*.msauth.net <http://msauth.net>,*.msauthimages.net <http://msauthimages.net>,*.msecnd.net <http://msecnd.net>,*.msftauth.net <http://msftauth.net>,*.msftauthimages.net <http://msftauthimages.net>,*.phonefactor.net <http://phonefactor.net>,*.queue.core.windows.net <http://queue.core.windows.net>,*.servicebus.windows.net <http://servicebus.windows.net>,*.table.core.windows.net <http://table.core.windows.net>,*.windows.net <http://windows.net>,management.azure.com <http://management.azure.com>,policykeyservice.dc.ad.msft.net <http://policykeyservice.dc.ad.msft.net>,secure.aadcdn.microsoftonline-p.com <http://secure.aadcdn.microsoftonline-p.com>* local_account_expiration=0s hash_passwords=bcrypt *site=https://login.microsoftonline.com/ <https://login.microsoftonline.com/><tenant_id>/oauth2/v2.0/* *redirect_url=https://esquiu.school-wifi.com/oauth2/callback <https://esquiu.school-wifi.com/oauth2/callback>* type=OpenID *person_mapping.0=email:mail* *person_mapping.2=firstname:givenName* *person_mapping.1=custom_field_1:department* *person_mapping.3=lastname:surname* [azureAD rule IT] action0=set_role=IT *condition0=department,equals,IT* status=enabled match=all class=authentication action1=set_unreg_date=2038-01-01 00:00:01 description=via department [azureAD rule Profesores] action0=set_role=PROFESORES *condition0=department,contains,PROF* status=enabled match=all class=authentication action1=set_access_duration=1YR+0D description=via department [azureAD rule Alumnos] action0=set_role=REJECT status=enabled match=all class=authentication action1=set_access_duration=1YR+0D description=catch all alumnos (im using the microsoft graph beta version as the protected resource, which gives you access to a ton more attributes for the users). This way, I have several rules that I can use to categorize users into different roles. In my case im using the Azure "department" attribute. Please note that for this to work, I had to first "copy" the "department" attribute into one of the custom fields of the user. But after that, I could use it as a match in the rules. I also had to add the "department" field into the list of custom OpenID attributes in PF.conf as shown below: *# advanced.openid_attributes* *#* *# List of known OpenID Attributes* *openid_attributes=jobTitle,department,givenName,surname,employeeId,legalAgeGroupClassification,consentProvidedForMinor,mobilePhone,companyName,department* I documented some of these details in the following github issue: https://github.com/inverse-inc/packetfence/issues/6463 *Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina | https://goo.gl/maps/NZCFPwVkFFf14cR67 On Thu, 23 Sept 2021 at 05:12, Matthies, Heiko via PacketFence-users < [email protected]> wrote: > Hello Diego, > > > > that’s correct, in order for the authentication to work, I needed an “app” > in the azure portal. I created this app and entered the credentials into > PacketFence. I’ve already granted admin consent so this shouldn’t be an > issue. The authentication on O365 side works just fine because I get > redirected back to the PacketFence callback URL*/oauth2/callback* but > then the captive portal tries to redeem the token and fails due to the > missing Access-Control-Allow-Origin header. > > > > Greetings > > > > Heiko > > > > > <https://asap.podigee.io/> > > > *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim > Tel. +49 (8458) 3389 252 <+49%20(8458)%203389%20252> | Fax. +49 (8458) > 3389 399 > [email protected] | www.asap.de > > Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz > der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 > > Datenschutz: Ausführliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > Datenschutz. <http://www.asap.de/datenschutz/> > > *Von:* Diego Garcia del Rio <[email protected]> > *Gesendet:* Dienstag, 21. September 2021 19:13 > *An:* [email protected] > *Cc:* Matthies, Heiko <[email protected]> > *Betreff:* Re: [PacketFence-users] Office365 authentications fail on > captive portal > > > > not 100% sure.. but I believe you created an "app" in the azure portal for > the authentication to work? I was having similar issues until I explicitly, > as an administrator, gave consent to the app for all users (rather than > each user having to give individual consent). > > > > I think I was getting a very similar error to you. > > > > On Tue, Sep 21, 2021 at 5:22 AM Matthies, Heiko via PacketFence-users < > [email protected]> wrote: > > Hello, > > > > I'm currently trying out the captive portal module from packetfence and > having difficulties with the OIDC Authentication. I believe I set up the > OIDC authentication source correctly as I get redirected back from the > Microsoft page. After that, the following error message occurs: > > *OAuth2 Error: Failed to validate the token, please retry* > > > > I believe the browser has a problem redeeming the token, the error-log > shows the following message: > > *Access to XMLHttpRequest at > 'https://login.microsoftonline.com/*******/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2F*****%2Foauth2%2Fcallback&client_id=******&hd=&state=&scope=openid > <https://login.microsoftonline.com/*******/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2F*****%2Foauth2%2Fcallback&client_id=******&hd=&state=&scope=openid>' > (redirected from 'https://*****/oauth2/common/img/sprite.svg') from origin > 'https://*****' has been blocked by CORS policy: Response to preflight > request doesn't pass access control check: No 'Access-Control-Allow-Origin' > header is present on the requested resource.* > > > > I searched through the different apache configs but even when I add the > Access-Control-Allow-Origin Header through apache, it does not seem to work. > > > > Am I missing something? For reference, the SAML-Authentication seems to > have the same issue, so I suspect a problem with the captive portal itself? > > > > Greetings > > > > Heiko Matthies > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
