Forum Discussion

Olivier_Beytrison's avatar
Olivier_Beytrison
Icon for Cirrus rankCirrus
Aug 21, 2024

APM/OAuth2 : auto apply changes made by discovery

Hi, I've setup OAuth2 to Azure EntraID following this documentation. It works well but I'm only facing a serious issue. In the OAuth provider configuration, I've enabled the discovery job to run on...
APM
OAuth Client
  • Olivier_Beytrison's avatar
    Olivier_Beytrison
    Nov 20, 2024

    Hi Lucas,

    Small update on the case. Engineering has been able to solve Issue with an engineering hotfix for 17.1.1.4

    ID1293805-1: Access policies not in Partition Common are not applied in auto discovery process

    Since then the issue has been fixed !

    Thanks again for your help at the beginning of this case!

    Regards,
    Olivier

Olivier_Beytrison's avatar
Olivier_Beytrison
Icon for Cirrus rankCirrus

So, there has been a change in the JWT this week-end on Azure Entra, and I got a lot of logs from restjavad.

I won't post the part where it discovers the new JWTs, delete the old jwt/certs in the config, create the new one, and skip to the SAVE_AND_APPLY phase of OIDCDiscoverTask. (I also stripped the begining of the lines for readability)

 

All lines start with [F][21133][25 Aug 2024 18:25:27 UTC][8100/tm/access/oidc/discover OIDCDiscoverTaskCollectionWorker]

[18:25:26] install meta data  sending mcp request
[18:25:26] intall meta dataa  sending mcp request
[18:25:27] OIDC Discover provider name is /HES-SO/HES_AGF_AzAD_Provider and step SAVE_AND_APPLY
[18:25:27] saveAndApply :mcpProviderName /HES-SO/HES_AGF_AzAD_Provider 
[18:25:27] applyPolicyForProvider chain >> 
[18:25:27] applyPolicyForProvider chain >> 
[18:25:27] applyPolicyForProvider total items in chains = 2
[18:25:27] setup doChainQuery queries : chain >> 
[18:25:27] do chain query with names [/HES-SO/HES_AGF_AzAD_Provider], remaining step 5
[18:25:27] setup mcp queryAll for name /HES-SO/HES_AGF_AzAD_Provider qi = 
[18:25:27] setup doChainQuery queries : chain >> 
[18:25:27] do chain query with names [/HES-SO/HES_AGF_AzAD_Provider], remaining step 5
[18:25:27] setup mcp queryAll for name /HES-SO/HES_AGF_AzAD_Provider qi = 
[18:25:27] mcpOperation queryInfo=
[18:25:27] results from mcp-multi requests /HES-SO/HES_AGF_M365_JWTP,  for queryInfo = 
[18:25:27] do chain query with names [/HES-SO/HES_AGF_M365_JWTP], remaining step 4
[18:25:27] setup mcp queryAll for name /HES-SO/HES_AGF_M365_JWTP qi = 
[18:25:28] mcpOperation queryInfo=
[18:25:28] results from mcp-multi requests /HES-SO/HES_AGF_OAuth_Srv,  for queryInfo = 
[18:25:28] do chain query with names [/HES-SO/HES_AGF_OAuth_Srv], remaining step 4
[18:25:28] setup mcp queryAll for name /HES-SO/HES_AGF_OAuth_Srv qi = 
[18:25:28] mcpOperation queryInfo=
[18:25:28] results from mcp-multi requests  for queryInfo = 
[18:25:28] applyPolicyForProvider handling of a chain
[18:25:28] mcpOperation queryInfo=
[18:25:28] results from mcp-multi requests /HES-SO/HES_AGF_M365_act_oauth_client_ag,  for queryInfo = 
[18:25:28] do chain query with names [/HES-SO/HES_AGF_M365_act_oauth_client_ag], remaining step 3
[18:25:28] setup mcp queryAll for name /HES-SO/HES_AGF_M365_act_oauth_client_ag qi = 
[18:25:28] mcpOperation queryInfo=
[18:25:28] results from mcp-multi requests /HES-SO/HES_AGF_M365_act_oauth_client,  for queryInfo = 
[18:25:28] do chain query with names [/HES-SO/HES_AGF_M365_act_oauth_client], remaining step 2
[18:25:28] setup mcp queryAll for name /HES-SO/HES_AGF_M365_act_oauth_client qi = 
[18:25:28] mcpOperation queryInfo=
[18:25:28] policyName = /HES-SO/HES_AGF_M365, resolvedPolicyName = null
[18:25:28] results from mcp-multi requests null,  for queryInfo = 
[18:25:28] applyPolicyForProvider handling of a chain
[18:25:28] aps is empty.
[18:25:28] OIDC Discover provider name is /HES-SO/HES_AGF_AzAD_Provider and step SLEEP_AND_RUN_AGAIN
[18:25:28] Task ID 3394e5d4-9c7d-4685-808d-738c16e11dc8 for provider /HES-SO/HES_AGF_AzAD_Provider has completed one round, we will schedule the next discover after 1440 minutes

Lines 36-39 looks odd.

and sill no trace of "generation-action increment" in audit log.

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Aug 26, 2024

Great. From this logging, it seems that the system is trying to fetch and operate on this config data but the expected objects seem to be missing. Specifically it should be chaining together the access policy and access profile. Can you open a support ticket on this one and reference this DC thread? Support will need to check out your config.

The reason this mechanism is complex and a little weird is that APM has different several different access-policy and access-profile "types", including macros and subroutines for both per-session and per-request type policies. These can also be located in folders or partitions. Most of the control-plane processes try to treat these config objects in a generic way, but there are some corners to get stuck in.