Trying use Azure AD B2C for SSO using generic_oauth and getting vague error when trying to troubleshoot

  • What Grafana version and what operating system are you using?
    Grafana version: 8.4.5
    OS: Ubuntu 20.04

  • What are you trying to achieve?
    Successful login through Azure AD B2C

  • How are you trying to achieve it?
    By following instructions laid out by both applications

  • What happened?
    after clicking the button to sign in using azure I am taken to the appropriate login page. after the proper credentials are given I am redirected back to the /login/generic_oauth endpoint and see the following page:

  • What did you expect to happen?
    I was hoping for successful login to my Grafana instance

  • Can you copy/paste the configuration(s) that you are having problems with?
    here is my setup in the config file:

[auth.generic_oauth]
enabled = true
name = SSO Provider
allow_sign_up = true
client_id = <redacted>
client_secret = <redacted>
scopes = openid email profile
empty_scopes = false
email_attribute_name = email
email_attribute_path = emails[0]
login_attribute_path =
name_attribute_path =
id_token_attribute_name =
auth_url = https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/B2C_1_signin1/oauth2/v2.0/authorize
token_url = https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/B2C_1_signin1/oauth2/v2.0/token
api_url = https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin1
teams_url =
allowed_domains =
team_ids =
allowed_organizations =
role_attribute_path =
role_attribute_strict = false
groups_attribute_path =
team_ids_attribute_path =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca =
use_pkce = false

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    yes, I see the following vague error in the logs:
logger=context userId=0 orgId=0 uname= t=2022-04-22T05:39:01.71+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) error="oauth2: server response missing access_token"

Why you don’t increase log level?

[log]
level = debug

You didn’t increase log level so you see only info+ logs. Enjoy debug log level. I guess token endpoint response returns error message where you will see what is wrong.

BTW: api_url is wrong - there should be userinfo endpoint, not a discovery endpoint - but that shouldn’t be a root cause of your current problem.

Ah, now I’m seeing:

DBUG[04-22|14:08:12] Getting user info                        logger=oauth.generic_oauth
DBUG[04-22|14:08:12] Extracting user info from OAuth token    logger=oauth.generic_oauth
DBUG[04-22|14:08:12] Received id_token                        logger=oauth.generic_oauth raw_json="{<redacted>}" data="<redacted>"
DBUG[04-22|14:08:12] Getting user info from API               logger=oauth.generic_oauth
DBUG[04-22|14:08:12] Error getting user info from API         logger=oauth.generic_oauth url= error="Get \"\": unsupported protocol scheme \"\""
DBUG[04-22|14:08:12] Processing external user info            logger=oauth.generic_oauth source=token data="Name: <redacted>, Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"
DBUG[04-22|14:08:12] Setting user info name from name field   logger=oauth.generic_oauth
EROR[04-22|14:08:12] Error getting email address              logger=oauth.generic_oauth url=/emails error="Get \"/emails\": unsupported protocol scheme \"\""
EROR[04-22|14:08:12] login.OAuthLogin(get info from generic_oauth) logger=context error="Error getting email address: Get \"/emails\": unsupported protocol scheme \"\""
EROR[04-22|14:08:12] Request Completed                        logger=context method=GET path=/login/generic_oauth status=500 remote_addr=[::1] time_ms=1025 size=1372 referer=

BTW: api_url is wrong - there should be userinfo endpoint, not a discovery endpoint - but that shouldn’t be a root cause of your current problem.

Would you be able to expand on that?

Open your discovery URL:

https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin1

and there should be userinfo endpoint, which you need to configure as api_url in your Grafana config.

I only see the following from the discovery endpoint:

issuer: "https://<redacted>.b2clogin.com/<redacted>/v2.0/",
authorization_endpoint: "https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_signin1",
token_endpoint: "https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signin1",
end_session_endpoint: "https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_signin1",
jwks_uri: "https://<redacted>.b2clogin.com/<redacted>.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_signin1",
response_modes_supported: [
"query",
"fragment",
"form_post"
],
response_types_supported: [
"code",
"code id_token",
"code token",
"code id_token token",
"id_token",
"id_token token",
"token",
"token id_token"
],
scopes_supported: [
"openid"
],
subject_types_supported: [
"pairwise"
],
id_token_signing_alg_values_supported: [
"RS256"
],
token_endpoint_auth_methods_supported: [
"client_secret_post",
"client_secret_basic"
],
claims_supported: [
"name",
"sub",
"idp",
"tfp",
"iss",
"iat",
"exp",
"aud",
"acr",
"nonce",
"auth_time"
]
}

So perhaps this is a configuration mistake I’ve made on the azure side?

Probably it is your Azure config issue. Contact your Azure support/doc (maybe UserInfo endpoint | Microsoft Docs).

I don’t understand why you want to use api_url, when refered topic (SSO using Azure AD B2C - #3 by hnnsj) doesn’t configure api_url.

I don’t understand why you want to use api_url , when refered topic (SSO using Azure AD B2C - #3 by hnnsj ) doesn’t configure api_url.

when I attempt to leave this un-configured I get the following:

EROR[04-22|15:03:24] Error getting email address              logger=oauth.generic_oauth url=/emails error="Get \"/emails\": unsupported protocol scheme \"\""

Customize your config based on OAuth authentication | Grafana Labs . Grafana must find user email in the id_token. You redacted your id_token payload, so only you know where is email stored and you need to know what to configure properly (email_attribute_path/email_attribute_name).

Oh, I see. ok I quess the email is not being sent properly in the id_token payload:

DBUG[04-22|15:22:55] Received id_token                        logger=oauth.generic_oauth raw_json="{\"exp\":1650669775,\"nbf\":1650666175,\"ver\":\"1.0\",\"iss\":\"https://test2749.b2clogin.com/e836a0a6-3c4e-42f6-8d5c-3ba4ab5db092/v2.0/\",\"sub\":\"de380be7-51a5-45ec-94fa-22d974cfb616\",\"aud\":\"4cb517e1-17ee-425e-b352-187d7db7c13b\",\"iat\":1650666175,\"auth_time\":1650666174,\"name\":\"Fred Fred\",\"tfp\":\"B2C_1_signin1\",\"at_hash\":\"9DEfXno3Hy72ZtBOHr5b_Q\"}" data="Name: Fred Fred, Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"


Yes, again contact your Azure support and ask why you don’t see email in the id_token (maybe only used client need some minor config).

You may try to use https://graph.microsoft.com/oidc/userinfo as api_url (very hackish and advanced solution). It is not OIDC userinfo endpoint, but it is Graph API endpoint, which provides also JSON output. It works for non B2C Azure and it may work (not guaranteed) also for B2C Azure.

GOT IT! It works now. I had manually add email as a user attribute in the application claims section on the azure side. Thank you so much for your help jangaraj. I don’t think I could have solved this without you talking me through it

It will be nice from you if you provide here reproducible working (Azure/Grafana) setup for other users, who may have this problem in the future.

1 Like

Will do. Thanks again for the help.