enterprise-support team mailing list archive

Thread
Date

[Bug 2100299] [NEW] libapache2-mod-auth-openidc application registration key regression in Noble

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Kenneth MacDonald <2100299@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Feb 2025 17:10:33 -0000
Reply-to: Bug 2100299 <2100299@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Description:    Ubuntu 24.04.2 LTS

I upgraded a web server from Jammy to Noble and it cannot authenticate
against MS Entra ID due to a regression in handling the application
registration private key that upstream introduced between the to
packaged versions in Ubuntu.

Jammy: libapache2-mod-auth-openidc-2.4.11-1
Noble: libapache2-mod-auth-openidc-2.4.15.1-1build3

>From https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4
...

* add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke
private_key_jwt authentication to Microsoft Entra ID / Azure AD since
2.4.13

The relevant part of my Apache configuration is ...

  OIDCPublicKeyFiles /etc/ssl/certs/entra-id.crt
  OIDCPrivateKeyFiles /etc/ssl/private/entra-id.key
  OIDCProviderTokenEndpointAuth private_key_jwt

Users can log in to this website via MS Entra ID on Jammy, but on Noble
the website returns an error to the user and this (redacted) in the logs
...

[Wed Feb 26 15:32:09.726271 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_che
ck_json_error: response contained an "error" entry with value: ""invalid_client""
[Wed Feb 26 15:32:09.726646 2025] [auth_openidc:error] [pid 416730:tid 129370008061632] [client ****:52468] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '****'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/****']. Trace ID: **** Correlation ID: **** Timestamp: 2025-02-26 15:32:09Z""

I see that Plucky has a new enough version packaged to fix this
regression (https://launchpad.net/ubuntu/+source/libapache2-mod-auth-
openidc/2.4.16.8-1) and when I installed that package from
https://archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-
auth-openidc/libapache2-mod-auth-openidc_2.4.16.8-1_amd64.deb it worked
on my Noble server, allowing users to log in again.

Are you able to back port the Plucky version to Noble?

** Affects: libapache2-mod-auth-openidc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2100299

Title:
  libapache2-mod-auth-openidc application registration key regression in
  Noble

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2100299/+subscriptions

Follow ups

[Bug 2100299] Re: libapache2-mod-auth-openidc application registration key regression in Noble
From: Kenneth MacDonald, 2025-02-26