I’m getting an authentication error sent to https://[boundary_url]:9200/authentication-error when using Azure AD as an OIDC provider:
{
"kind": "Internal",
"message": "authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: provider UserInfo request failed: 400 Bad Request: "
}
I’m provisioning the app registration and the boundary OIDC provider with Terraform:
data "azuread_client_config" "current" {}
resource "azuread_application" "boundary" {
display_name = "${var.environment}-${var.product}-boundary-oidc"
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMyOrg"
prevent_duplicate_names = true
web {
logout_url = "https://${var.domain}:9200/"
redirect_uris = ["https://${var.domain}:9200/v1/auth-methods/oidc:authenticate:callback"]
}
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
type = "Role"
}
}
}
resource "azuread_application_password" "boundary" {
application_object_id = azuread_application.boundary.object_id
display_name = "${var.environment}-${var.product}-boundary-password"
}
resource "boundary_auth_method_oidc" "azure" {
name = "Azure"
scope_id = "global"
api_url_prefix = "https://${var.domain}:9200"
callback_url = "https://${var.domain}:9200/v1/auth-methods/oidc:authenticate:callback"
state = "active-public"
is_primary_for_scope = true
issuer = "https://sts.windows.net/${data.azuread_client_config.current.tenant_id}/"
client_id = azuread_application.boundary.application_id
client_secret = azuread_application_password.boundary.value
signing_algorithms = ["RS256"]
max_age = 0
}
After running terraform apply I did manually authorize the app in Azure AD. I’m not really sure where to go from here. Any help would be greatly appreciated!