How can I debug a 'KidNotFound' error when implimenting GitLab SSO with Azure AD as IdP?

MrRed

5/25/24, 11:58 AM

I am trying to integrate our self-managed GitLab 15.9.3-ee instance with our Azure AD. Using Azure AD as the IdP for SSO in to GitLab, I have been using the documentation here:

https://docs.gitlab.com/ee/administration/auth/oidc.html

https://docs.gitlab.com/ee/integration/omniauth.html

https://docs.gitlab.com/ee/integration/azure.html

to set up OmniAuth to use OpenIdConnect to access our login.microsoftonline.com V2 end point on our development Azure Tennant. The config required in omniauth_providers [] differs slightly between documents, this is what I am currently using:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ["azure_activedirectory_v2"]
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_user'] = ["azure_activedirectory_v2"]


gitlab_rails['omniauth_providers'] = [
  {
    name: "azure_activedirectory_v2",
    args: {
      name: "azure_activedirectory_v2",
      strategy_class: "OmniAuth::Strategies::OpenIDConnect",
      scope: ["openid", "profile", "email"],
      response_type: "code",
      issuer:  "https://login.microsoftonline.com/6b72c6a7-3624-4c78-82ea-8901960e56c3/v2.0",
      client_auth_method: "query",
      discovery: true,
      uid_field: "preferred_username",
      send_scope_to_token_endpoint: "false",
      pkce: true,
      client_options: {
        identifier: "386481e3-7a0e-4ba3-b85c-d1baa1716276",
        secret: "nev8Q~bGETvJNqdm58__xGG.mZjmcfIsS69hZanZ",
        redirect_uri: "https://gitlab.dev.scalable.com/users/auth/azure_activedirectory_v2/callback"
      }
    }
  }
]

I can see the Azure login button on the login page and the Azure AD v2 button to Connect to Azure AD button in: GitLab-> User Dropdown-> Edit Profile-> Account-> Service sign-in. When I press the Connect button, in the Azure logs it records the authentication as successful, but in the GitLab application.log, I get an Authentication failure! JSON::JWK::Set::KidNotFound error.

2023-05-24T14:40:28.421Z: (openid_connect) Request phase initiated.
2023-05-24T14:40:29.113Z: (openid_connect) Callback phase initiated.
2023-05-24T14:40:29.627Z: (openid_connect) Authentication failure! JSON::JWK::Set::KidNotFound: JSON::JWK::Set::KidNotFound, JSON::JWK::Set::KidNotFound

This happens whether I am using either the azure_activedirectory_v2 or the openid_connect callbacks. I have tried a few different values for uid_field:, such as: oid, sub, name, email, mail, preferred_username, user.name... and a few more besides. So I was wondering if there was any more recent documentation that covered Azure AD setup from scratch, or a better source of debugging information?

Or am I just doing somethign wrong?

0 + 0

single-sign-on

azure

gitlab

openid-connect

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I debug a 'KidNotFound' error when implimenting GitLab SSO with Azure AD as IdP?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.