Devolutions ForumDevolutions Forum

Openid authentication issues in 5.4.0 version

Openid authentication issues in 5.4.0 version

avatar
Product: PowerShell Universal
Version: 5.4.0


We have version 5.3.3 working correctly with authentication via openid. When updating to version 5.4.0 when booting the service and launching the application we observe the following error,

2025-03-21 06:07:47.189 +00:00 [ERR][Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware] An unhandled exception has occurred while executing the request.
System.InvalidOperationException: Invalid response from pushed authorization: content type is not application/json.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetPushedAuthorizationRequestUri(HttpResponseMessage parResponseMessage)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.PushAuthorizationRequest(OpenIdConnectMessage authorizeRequest, AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
   at PowerShellUniversal.DashboardEndpointSource.Execute(Dashboard dashboard, HttpContext httpContext) in D:\a\universal\universal\src\Universal.Server\Routing\DashboardEndpointSource.cs:line 65
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|7_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at PowerShellUniversal.FeatureMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\FeatureMiddleware.cs:line 42
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at PowerShellUniversal.DisallowedModeMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\ModeMiddleware.cs:line 35
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at PowerShellUniversal.CspMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\CspMiddleware.cs:line 28
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Universal.Server.Middleware.RoutingMiddleware.Invoke(HttpContext httpContext, IPolicyEvaluator policyEvaluator) in D:\a\universal\universal\src\Universal.Server\Middleware\RoutingMiddleware.cs:line 185
   at PowerShellUniversal.PSUMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\PowerShellMiddleware.cs:line 15
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Universal.Server.Middleware.WindowsAuthMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\WindowsAuthMiddleware.cs:line 58
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Universal.Server.Middleware.SwaggerAuthenticationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\a\universal\universal\src\Universal.Server\Middleware\SwaggerAuthMiddleware.cs:line 51
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at AspNetCoreRateLimit.RateLimitMiddleware`1.Invoke(HttpContext context) in D:\a\universal\universal\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 109
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)


How do we have openid configured? In authentication.ps1 file,

Set-PSUAuthenticationMethod -Type "OpenIDConnect" -CallbackPath "/auth/signin-oidc" -ClientId $Secret:OpenIDClient -ClientSecret $Secret:OpenIDSecret -Authority "https://xxx/oidc" -Scopes "openid profile roles" -SaveTokens $True -ResponseType code


For the time being we have reverted to version 5.3.3. Any idea of ​​the why of this behavior?

Note: The response obtained from the provider openid if in JSON format. For example,

{
  "Claims": [
    {
      "Type": "jti",
      "Value": "xxxx",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://xxxx/oidc",
      "Properties": []
    },
    {
      "Type": "sid",
      "Value": "xxxx",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://xxxx/oidc",
      "Properties": []
    },
    {
      "Type": "name",
      "Value": "pseudo Pseudo user for service availability reporting on SMART FE",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://xxxx/ims-sso/oidc",
      "Properties": []
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "Value": "spp",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://xxxx",
      "Properties": []
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "Value": "reports",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://xxxx",
      "Properties": []
    },
    {
      "Type": "RolesAssigned",
      "Value": "true",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "https://www.poshtools.com",
      "Properties": []
    }
  ],
  "Identity": {
    "Name": "xxx"
  }
}


Thanks!

avatar
Adam Driscoll

Recommended Answer

I’m going to disable this by default and we can make it configurable in a future PSU version.

Adam Driscoll
PowerShell Expert and Developer at Devolutions

All Comments (9)

avatar
"openid profile roles"

“openid profile roles”

what happens if you use “openid profile groups”?

avatar

Thanks for the suggestion but my openid provider doesn’t support the ‘groups’ scope. That’s why we use roles.

avatar
Adam Driscoll

Can you share which service you are using? 5.4 bumped the .NET version, which bumped the OIDC libraries and may be part of the problem.

Adam Driscoll
PowerShell Expert and Developer at Devolutions

avatar

Hello @Adam Driscoll , unfortunately I do not manage the service provider implementation. It is a CAS based internal solution: CAS - OpenID Connect Authentication.

avatar

Hello @Adam Driscoll, sorry for mentioning you again. So I have been able to investigate with .net 9, by default, if the provider admits it Pushed Authorization (PAR) is used as authorization method.
Checking the logs again I see that the problem is there,

"...
System.InvalidOperationException: Invalid response from pushed authorization: content type is not application/json.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetPushedAuthorizationRequestUri(HttpResponseMessage parResponseMessage)
..."

# Relevant part: "...parResponseMessage..."


I’m not quite clear if the provider we use admits it or not but (and it will probably be very hard for me to find out), in any case, is there any way to change this behaviour?

In following links:

github.com/dotnet/aspnetcore
github.com/dotnet/aspnetcore
i see that it is possible to disable Pushed Authorization (PAR) but. If so, is there any way to implement it in PSU?
I have tried it with the ‘Configure’ parameter in the ‘Set-PSUAuthenticationMethod’ cmdlet trying without any success,

Set-PSUAuthenticationMethod -Type XXX -Configure {
     $options = $args[0]
     $options.PushedAuthorizationBehavior = 'Disable'
    } 
}


Thanks in advance

avatar
Adam Driscoll

I’m not sure why that wouldn’t work but I do think I will need to some research into this particular provider. I opened a GitHub issue so this doesn’t get buried.

github.com/ironmansoftware/powershell-universal

Adam Driscoll
PowerShell Expert and Developer at Devolutions

avatar
Adam Driscoll

I’m going to disable this by default and we can make it configurable in a future PSU version.

Adam Driscoll
PowerShell Expert and Developer at Devolutions

avatar

Thanks @Adam Driscoll , version 5.4.4 installed and openid authentication works!

avatar

Hello @Adam Driscoll , sorry for reviving this thread, but the issue is reproduced in version 5.5.2. Perhaps a regression has been introduced? Perhaps a change has been implemented in PSU that allows configuring authentication behavior with OIDC? We don’t see anything about this in the docs. Thanks!