Azure AD 401 Kiali

[Bruno Macedo]

I'm trying to configure Azure AD/AKS with OpenId and Kiali.

My Cluster has OpenId configured but I'm not being able to login using Kiali with ImplicFlow

    auth:

      strategy: openid

      openid:

        client_id: "xxxxx-xxxxx-xxxxx-xxxx"

        issuer_uri: "https://login.microsoftonline.com/xxxxx-xxxxx-xxxx/oauth2/v2.0/authorize"

        authorization_endpoint: "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx/oauth2/v2.0/authorize"

        username_claim: "preferred_username"

I'm still geting 401 and the logs shows:

I1002 18:17:43.832090 1 kiali.go:211] Generating env.js from config
I1002 18:17:43.836399 1 server.go:67] Server endpoint will start at [:20001/kiali]
I1002 18:17:43.836433 1 server.go:68] Server endpoint will serve static content from [/opt/kiali/console]
I1002 18:17:43.836461 1 metrics_server.go:18] Starting Metrics Server on [:9090]
W1002 18:18:19.948203 1 openid_auth.go:346] Error when fetching OpenID provider's metadata: cannot fetch OpenId Metadata (HTTP response status = 404 Not Found)
I1002 18:18:20.471016 1 authentication.go:672] Not handling OpenId code flow authentication: State parameter is empty or invalid.

Does anyone know if there is something missing, or faced same problem?

[Bruno Macedo]

I was able to generate a token but I'm getting 401 when Kiali tries to validate it.

func CheckOpenIdAuthorizationCodeFlowParams(params *OpenIdCallbackParams) string {

if params.NonceHash == nil {
        return "No nonce code present. Login window timed out."
}
if params.State == "" {
        return "State parameter is empty or invalid."
}
if params.Code == "" {
       return "No authorization code is present."
} return ""
}

[Edgar Hernández]

Hi Bruno,

I see you are setting issuer_uri and authorization_endpoint to the same URL.
Usually, they are NOT the same URL. The issuer_uri is the one that looks wrong.

Can you find and fix the right issuer_uri for your AD/AKS instance?

--
You received this message because you are subscribed to the Google Groups "kiali-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kiali-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kiali-users/f8329d96-7dae-4704-8e0f-a2538fbbad51n%40googlegroups.com.

[Bruno Macedo]

Hi Edgar, 

I've tried this way:

auth:
  strategy: openid
  openid:
    client_id: "b7817f02-7b52-4180-8dc6-1f64b4491778"
    issuer_uri: "https://login.microsoftonline.com/cef04b19-9976-4a94-b89b-365c77a8f935/v2.0"
    authorization_endpoint: "https://login.microsoftonline.com/cef04b19-9976-4a94-b89b-365c77a8f935/oauth2/v2.0/authorize"
    scopes: ["openid", "profile", "email"]
    username_claim: "preferred_username"

Did not work as well:



Any idea. We have been trying for a week.

[Bruno Macedo]

[Bruno Macedo]

{"error":"Token is not valid or is expired","detail":"Unauthorized"}

Log message:

I1004 01:27:42.950504       1 authentication.go:672] Not handling OpenId code flow authentication: No nonce code present. Login window timed out.

[Bruno Macedo]

Hi all, I'm still on it


auth:
  strategy: openid
  openid:
    client_id: "39ed0b47-e77c-4507-89ea-7ed4c1fcceb5"
    issuer_uri: "https://login.microsoftonline.com/bc34d9dd-2685-4dfb-96a7-ef7851e25c6c/v2.0"
    authorization_endpoint: "https://login.microsoftonline.com/bc34d9dd-2685-4dfb-96a7-ef7851e25c6c/oauth2/v2.0/authorize"

    scopes: ["openid", "profile", "email"]

login_token:
  signing_key: "7vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd67vUd6"

This doesn't work as well. Even with the signing_key, this flow performed is authorization_code, this doesn't make any sense :/

{"error":"failure when retrieving user identity","detail":"request failed (HTTP response status = 401 Unauthorized)"}

[John Mazzitelli]

If signing key is not 16, 24, or 32 chars, then openid "implicit flow" is used. Otherwise, it is auth flow and you need to define a Kiali secret. Kiali secret is not needed for implicit flow.

If that is not in the Kiali FAQ, it should be :)

> >>>>> <https://login.microsoftonline.com/cef04b19-7776-4a94-b89b-375c77a8f936/oauth2/v2.0/authorize>
> >>>>> "
> >>>>> authorization_endpoint: "
> >>>>> https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx/oauth2/v2.0/authorize
> >>>>> <https://login.microsoftonline.com/cef04b19-7776-4a94-b89b-375c77a8f936/oauth2/v2.0/authorize>

> >>>>> "
> >>>>> username_claim: "preferred_username"
> >>>>>
> >>>>> I'm still geting 401 and the logs shows:
> >>>>>
> >>>>> I1002 18:17:43.832090 1 kiali.go:211] Generating env.js from config
> >>>>> I1002 18:17:43.836399 1 server.go:67] Server endpoint will start at
> >>>>> [:20001/kiali]
> >>>>> I1002 18:17:43.836433 1 server.go:68] Server endpoint will serve
> >>>>> static content from [/opt/kiali/console]
> >>>>> I1002 18:17:43.836461 1 metrics_server.go:18] Starting Metrics Server
> >>>>> on [:9090]
> >>>>> W1002 18:18:19.948203 1 openid_auth.go:346] Error when fetching OpenID
> >>>>> provider's metadata: cannot fetch OpenId Metadata (HTTP response status
> >>>>> =
> >>>>> 404 Not Found)
> >>>>> I1002 18:18:20.471016 1 authentication.go:672]

> >>>>> * Not handling OpenId code flow authentication: State parameter is
> >>>>> empty or invalid. *

> >>>>> Does anyone know if there is something missing, or faced same problem?
> >>>>>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "kiali-users" group.
> >>>> To unsubscribe from this group and stop receiving emails from it, send
> >>>> an email to kiali-users...@googlegroups.com.
> >>>> To view this discussion on the web visit
> >>>> https://groups.google.com/d/msgid/kiali-users/f8329d96-7dae-4704-8e0f-a2538fbbad51n%40googlegroups.com

> >>>> <https://groups.google.com/d/msgid/kiali-users/f8329d96-7dae-4704-8e0f-a2538fbbad51n%40googlegroups.com?utm_medium=email&utm_source=footer>
> >>>> .

> >>>>
> >>>>
> >>>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "kiali-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kiali-users...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/kiali-users/05341d33-5198-4d14-8ee0-3eff0967c436n%40googlegroups.com.
>

[John Mazzitelli]

> If that is not in the Kiali FAQ, it should be :)

I did find this mentioned in the docs. Here's the part that talks about this:

https://kiali.io/documentation/latest/configuration/authentication/openid/#_set_up

> https://groups.google.com/d/msgid/kiali-users/902190584.16678024.1601891251528.JavaMail.zimbra%40redhat.com.
>
>

[John Mazzitelli]

> > {"error":"Token is not valid or is expired","detail":"Unauthorized"}

FYI: This is where this is emitted:

https://github.com/kiali/kiali/blob/v1.24.0/business/openid_auth.go#L469-L474

It appears the user doesn't have access to see at least one namespace.

> > Log message:
> > I1004 01:27:42.950504 1 authentication.go:672] Not handling OpenId
> > code flow authentication: No nonce code present. Login window timed out.

This I do not understand - I'll let Edgar chime in ... he knows this code. But reading this message, it appears to be an error, however, it is logged at "I"nformational level - so maybe it is not an error. It is just telling you it is switching to implicit flow (??? maybe ???).

[Bruno Macedo]

Hi jmazzite, thanks for the answer
But my user does have access to all namespaces even using the id_token returned on the url

kubectl --toke=my_id_token_from_kiali get namespaces

and the user permission:

brunom@linx:~$ kubectl  auth can-i list ns 

yes

and I also create the clusterrole for my user:
kubectl create rolebinding bruno-openid-binding --clusterrole=kiali --user="my-e...@outlook.com" --namespace=istio-system

I'm testing using kubectl-proxy, could this impact in something as kiali is trying to look 
through kube api server using http only?

[John Mazzitelli]

> I'm testing using kubectl-proxy, could this impact in something as kiali is
> trying to look
> through kube api server using http only?

Yes, I suspect that might be something.

I know I hear Edgar talk alot about working (or not) with proxies. I'll let him chime in.

Edgar - do we have an FAQ that talks about all these proxy issues? I am fairly sure reverse-proxies cause problems so we should have some FAQ that talks about the issues.

> --
> You received this message because you are subscribed to the Google Groups
> "kiali-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kiali-users...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/kiali-users/b4e7acd1-b6a6-40e9-916b-4d2828579028n%40googlegroups.com.
>

[Bruno Macedo]

Oh thanks jmazzite
Yeh I saw that here:
https://github.com/kiali/kiali/issues/3042#issuecomment-679194464

So I also configured this:

api_proxy: https://proxy_host:port
api_proxy_ca_data: {ca-data-file in base64}

And it does not work as well. Same error on same line.
 // anonymous access, so it's not feasible to use the version API for token verification.
 nsList, err := business.Namespace.GetNamespaces()
 if err != nil {
 RespondWithDetailedError(w, http.StatusUnauthorized, "Token is not valid or is  expired", err.Error())
 return false

[Edgar Hernández]

Hi Bruno.

Let's go back a little.
From your messages, I see you were getting the following error at some point:

    {"error":"Token is not valid or is expired","detail":"Unauthorized"}

Because we are getting "Unauthorized" in the `detail`, this is usually an indication that Kiali config is possibly OK, but most likely some Kubernetes config is still missing.
As stated in the Kiali docs[1], your Kubernetes cluster needs to be configured with OpenID integration. Only after that configuration is in place, you can proceed to setup Kiali.

For Azure AKS and Azure AD, my understanding is that you must follow these docs to setup AKS integration with AzureAD: https://docs.microsoft.com/en-us/azure/aks/managed-aad -- but I'm unsure if that's it, as I haven't used AKS. So, please make sure your cluster is properly configured.

Please, make sure that AzureAD integration with AKS is configured in your cluster.

I'm also replying in-line in the next quoted message.


[1] https://kiali.io/documentation/latest/configuration/authentication/openid/#_requirements

On 10/5/20 7:16 AM, Bruno Macedo wrote:

Hi jmazzite, thanks for the answer
But my user does have access to all namespaces even using the id_token returned on the url

kubectl --toke=my_id_token_from_kiali get namespaces

In the past, I also tried this and was succeeding when it shouldn't. Then, I found that if the passed token is invalid, kubectl was falling back to the credentials that are present in your kubeconfig file (not sure if there was a bug of my kubectl version). So, anyway, if you want to properly verify that the token is valid, make a backup of your kubeconfig file and, then strip any credentials that are on it, leaving only the API Server endpoint. With this, kubectl is forced to use the token provided in the command line.

BTW, in your command, the --token flag has a typo (missing N at the end)

and the user permission:

brunom@linx:~$ kubectl  auth can-i list ns 

yes

You are not passing any token. So, I'm not sure if this output is meaningful.

and I also create the clusterrole for my user:
kubectl create rolebinding bruno-openid-binding --clusterrole=kiali --user="my-e...@outlook.com" --namespace=istio-system

I'm testing using kubectl-proxy, could this impact in something as kiali is trying to look 
through kube api server using http only?

Not sure... What are you testing with kubectl-proxy?

Em segunda-feira, 5 de outubro de 2020 às 06:57:34 UTC-3, jmaz...@redhat.com escreveu:

> > {"error":"Token is not valid or is expired","detail":"Unauthorized"}

FYI: This is where this is emitted:

https://github.com/kiali/kiali/blob/v1.24.0/business/openid_auth.go#L469-L474

It appears the user doesn't have access to see at least one namespace.


> > Log message:
> > I1004 01:27:42.950504 1 authentication.go:672] Not handling OpenId
> > code flow authentication: No nonce code present. Login window timed out.

This I do not understand - I'll let Edgar chime in ... he knows this code. But reading this message, it appears to be an error, however, it is logged at "I"nformational level - so maybe it is not an error. It is just telling you it is switching to implicit flow (??? maybe ???).

--
You received this message because you are subscribed to the Google Groups "kiali-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kiali-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/kiali-users/b4e7acd1-b6a6-40e9-916b-4d2828579028n%40googlegroups.com.

[Bruno Macedo]

Hi Edigar,

I created a new cluster, setting the properties as you can see:

brunom@lnxcit018665:~$ az aks create -g cloud-shell-storage-eastus -n k8s-test --enable-aad --aad-admin-group-object-ids  aafb35bf-986f-4940-ae38-3bed74db93f4 --aad-tenant-id bc34d9dd-2685-4dfb-96a7-ef7851e25c6c --subscription 1d595ae7-3378-4335-8466-4fb5b8577146
{- Finished ..
  "aadProfile": {
    "adminGroupObjectIds": [
      "aafb35bf-986f-4940-ae38-3bed74db93f4"
    ],
    "clientAppId": null,
    "enableAzureRbac": null,
    "managed": true,
    "serverAppId": null,
    "serverAppSecret": null,
    "tenantId": "bc34d9dd-2685-4dfb-96a7-ef7851e25c6c"
  },
  "addonProfiles": {
    "KubeDashboard": {
      "config": null,
      "enabled": true,
      "identity": null
    }
  },
  "agentPoolProfiles": [
    {
      "availabilityZones": null,
      "count": 3,
      "enableAutoScaling": null,
      "enableNodePublicIp": false,
      "maxCount": null,
      "maxPods": 110,
      "minCount": null,
      "mode": "System",
      "name": "nodepool1",
      "nodeImageVersion": "AKSUbuntu-1604-2020.09.23",
      "nodeLabels": {},
      "nodeTaints": null,
      "orchestratorVersion": "1.17.11",
      "osDiskSizeGb": 128,
      "osDiskType": "Managed",
      "osType": "Linux",
      "powerState": {
        "code": "Running"
      },
      "provisioningState": "Succeeded",
      "proximityPlacementGroupId": null,
      "scaleSetEvictionPolicy": null,
      "scaleSetPriority": null,
      "spotMaxPrice": null,
      "tags": null,
      "type": "VirtualMachineScaleSets",
      "upgradeSettings": null,
      "vmSize": "Standard_DS2_v2",
      "vnetSubnetId": null
    }
  ],
  "apiServerAccessProfile": null,
  "autoScalerProfile": null,
  "diskEncryptionSetId": null,
  "dnsPrefix": "k8s-test-cloud-shell-stor-1d595a",
  "enablePodSecurityPolicy": null,
  "enableRbac": true,
  "fqdn": "k8s-test-cloud-shell-stor-1d595a-ba7b1360.hcp.eastus.azmk8s.io",
  "id": "/subscriptions/1d595ae7-3378-4335-8466-4fb5b8577146/resourcegroups/cloud-shell-storage-eastus/providers/Microsoft.ContainerService/managedClusters/k8s-test",
  "identity": null,
  "identityProfile": null,
  "kubernetesVersion": "1.17.11",
  "linuxProfile": {
    "adminUsername": "azureuser",
    "ssh": {
      "publicKeys": [
        {
          "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3nqoD5muxovHDKIkGOCKwQHSgXR4ogpCu8bi0AlBPHUiromc/kT/wHuf/JIt7rFDQnnbyHw0oHak0cTr2l5D3WiFPNMq3Snj8Dz8idUcOFHoV3tzfiXVeXkSaiJedrt5VrrQpdHIpuDkP24pnAEcdxel+YmExywMSkfiHxU8iNa9LxkE7X5VXJlwHev7SU90PuRHzl85zWieYVXmABKQXIMFhNMYEYeoEmqNrH6LiGD4umVIXx//roBVM4/g3PddShKnh3pK3Emy35q/A7Pu2ip907cTG5jCfwf4FXl4YR4LPf/raxNEnNq7MBVvp/99Tq/U7b9SOtbWY3hapH2b brunom@lnxcit018665\n"
        }
      ]
    }
  },
  "location": "eastus",
  "maxAgentPools": 10,
  "name": "k8s-test",
  "networkProfile": {
    "dnsServiceIp": "10.0.0.10",
    "dockerBridgeCidr": "172.17.0.1/16",
    "loadBalancerProfile": {
      "allocatedOutboundPorts": null,
      "effectiveOutboundIps": [
        {
          "id": "/subscriptions/1d595ae7-3378-4335-8466-4fb5b8577146/resourceGroups/MC_cloud-shell-storage-eastus_k8s-test_eastus/providers/Microsoft.Network/publicIPAddresses/7d8607a0-002e-4858-8cf3-c48ad0182ef0",
          "resourceGroup": "MC_cloud-shell-storage-eastus_k8s-test_eastus"
        }
      ],
      "idleTimeoutInMinutes": null,
      "managedOutboundIps": {
        "count": 1
      },
      "outboundIpPrefixes": null,
      "outboundIps": null
    },
    "loadBalancerSku": "Standard",
    "networkMode": null,
    "networkPlugin": "kubenet",
    "networkPolicy": null,
    "outboundType": "loadBalancer",
    "podCidr": "10.244.0.0/16",
    "serviceCidr": "10.0.0.0/16"
  },
  "nodeResourceGroup": "MC_cloud-shell-storage-eastus_k8s-test_eastus",
  "powerState": {
    "code": "Running"
  },
  "privateFqdn": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-eastus",
  "servicePrincipalProfile": {
    "clientId": "b3f017cb-c1fc-47b2-8235-71b05cd59001",
    "secret": null
  },
  "sku": {
    "name": "Basic",
    "tier": "Free"
  },
  "tags": null,
  "type": "Microsoft.ContainerService/ManagedClusters",
  "windowsProfile": null
}


Kiali Operator Config:

  spec:
    deployment:
      accessible_namespaces:
        - '**'
    auth:
      strategy: openid
      openid:
        client_id: "b3f017cb-c1fc-47b2-8235-71b05cd59001"
        issuer_uri: "https://login.microsoftonline.com/bc34d9dd-2685-4dfb-96a7-ef7851e25c6c/v2.0"

        scopes: ["openid", "profile", "email"]
        username_claim: "preferred_username"

    login_token:
      signing_key: "bFFIWUJFMnJGTm9CQkFERndxV1FJVy9EU3FjQjR5Q1FxbkFGVEoyN3FTNUFuQjQ2Y2NBZHczdTRHcmVldTNCcGlkcG9IZGpVTHk3elNLbHdSMUVBODczZE8vay9lMTFNbDNkbEFGVWluV2VlaldhSzJ1Z0ZQNkpqaWllU3NyS24="

 

The id_token:

{
  "aud": "b3f017cb-c1fc-47b2-8235-71b05cd59001",
  "iss": "https://login.microsoftonline.com/bc34d9dd-2685-4dfb-96a7-ef7851e25c6c/v2.0",
  "iat": 1602031260,
  "nbf": 1602031260,
  "exp": 1602035160,
  "aio": "AWQAm/8RAAAAVrood8B8oaJUkjz9LWKOvQLPXTfkLc+2ZPPmTzSlOxadbxXO9PJrjRbGj9GJ3Gpfm937JbJwoFjNmM+3YpfZPCoUOPtCQ6E/I8+s41+NLWEb4SPGNeXm8KLQekpKU614",
  "email": "mac.brun...@outlook.com",
  "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
  "name": "Bruno de Macedo",
  "nonce": "760db266305187966c8fb848e2de601954e11540bc859468d57f0ec8",
  "oid": "bc2c7d36-b0fc-4bb2-b8c8-b12622c4e028",
  "preferred_username": "mac.brun...@outlook.com",
  "rh": "0.AAAA3dk0vIUm-02Wp-94UeJcbMsX8LP8wbJHgjVxsFzVkAFGAOY.",
  "sub": "Ws_R1rSO5iPxRsACsVhY6ekda0aTuSEeQfuNZE9WMqQ",
  "tid": "bc34d9dd-2685-4dfb-96a7-ef7851e25c6c",
  "uti": "GkHgGxjt1EmwZ4P0CxRDAA",
  "ver": "2.0"
}

Kiali Log

brunom@lnxcit018665:~$ k logs kiali-596fdb5948-wq7p2 -f -n istio-system
I1007 00:40:34.823890       1 kiali.go:64] Kiali: Version: v1.24.0, Commit: fff05cd7a637abdd616b818e19160af75b7eb0a6
I1007 00:40:34.824605       1 kiali.go:155] Using authentication strategy [openid]
I1007 00:40:34.824643       1 kiali.go:85] Kiali: Console version: 1.24.0
I1007 00:40:34.824655       1 kiali.go:230] Updating base URL in index.html with [/kiali]
I1007 00:40:34.825103       1 kiali.go:211] Generating env.js from config
I1007 00:40:34.827212       1 server.go:67] Server endpoint will start at [:20001/kiali]
I1007 00:40:34.827222       1 server.go:68] Server endpoint will serve static content from [/opt/kiali/console]
I1007 00:40:34.827237       1 metrics_server.go:18] Starting Metrics Server on [:9090]
I1007 00:45:24.714715       1 authentication.go:672] Not handling OpenId code flow authentication: No nonce code present. Login window timed out.
W1007 00:45:28.744387       1 openid_auth.go:338] Cannot use OpenId authorization code flow because signing key is not 16, 24 nor 32 bytes long
I1007 00:46:01.818006       1 authentication.go:672] Not handling OpenId code flow authentication: State parameter is empty or invalid.
I1007 00:46:03.017712       1 cache.go:128] Kiali Cache is active for namespaces [.*]

The response: 

Login unsuccessful: Token is not valid or is expired

[Bruno Macedo]

The error seems to come from this code:
I will try to understand it better,
If you have some idea, we have been struggling with that :/

func VerifyOpenIdUserAccess(token string) (int, string, error) {
   // Create business layer using the id_token
   business, err := Get(token)
   if err != nil {
      return http.StatusInternalServerError, "Error instantiating the business layer", err
   }

   // Using the namespaces API to check if token is valid. In Kubernetes, the version API seems to allow

   // anonymous access, so it's not feasible to use the version API for token verification.
   nsList, err := business.Namespace.GetNamespaces()
   if err != nil {

      return http.StatusUnauthorized, "Token is not valid or is expired", err
   }

   // If namespace list is empty, return unauthorized error
   if len(nsList) == 0 {
      return http.StatusUnauthorized, "Cannot view any namespaces. Please read Kiali's RBAC documentation for more details.", nil
   }

   return http.StatusOK, "", nil
}

[Bruno Macedo]

I also added the groups to be returned on token:

  "iss": "https://login.microsoftonline.com/bc34d9dd-2685-4dfb-96a7-ef7851e25c6c/v2.0",
  "iat": 1602033689,
  "nbf": 1602033689,
  "exp": 1602037589,
  "aio": "AWQAm/8RAAAAO9t0zeRmL1HAOvUKc2Tvyen76rzV4qRHjkHgjvcQmM0ZZ0fVzoGH3NHqxZYsa2oCcF8bf5eASculp+1GSR+eS1Od9KMJWh1JmkdqLEExbVkCdWLUdIe/tFij8Vak9Lq0",
  "email": "mac.brun...@outlook.com",
  "groups": [
    "aafb35bf-986f-4940-ae38-3bed74db93f4",
    "9d3eaaac-f222-4551-86b9-4798f14e61fb",
    "b59aa483-1e2d-4d50-9607-ec240b744c76"
  ],

  "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
  "name": "Bruno de Macedo",

  "nonce": "7348343bbb3ec8d60567e6f8b1b529b67e161ed39ab2e21cea255526",

  "oid": "bc2c7d36-b0fc-4bb2-b8c8-b12622c4e028",
  "preferred_username": "mac.brun...@outlook.com",
  "rh": "0.AAAA3dk0vIUm-02Wp-94UeJcbMsX8LP8wbJHgjVxsFzVkAFGAOY.",
  "sub": "Ws_R1rSO5iPxRsACsVhY6ekda0aTuSEeQfuNZE9WMqQ",
  "tid": "bc34d9dd-2685-4dfb-96a7-ef7851e25c6c",

  "uti": "nbLcXFi9Z0yEOyEUFkeLAQ",
  "ver": "2.0"
}

Same error as well

[Edgar Hernández]

Hi again, Bruno.

You may want to check this GitHub issue. Another user seems to have the same issue as you: https://github.com/kiali/kiali/issues/3294

In short, the docs at the Kiali website contain a mistake. In the OpenId Setup instructions (in https://kiali.io/documentation/latest/configuration/authentication/openid/#_set_up) there this following paragraph:

Register Kiali as a client application in your OpenId Server. Use the root path of your Kiali instance as the callback URL. If the OpenId Server provides you a client secret, or if you manually set a client secret, issue the following command to create a Kubernetes secret holding the OpenId client secret:

The very first sentence reads: "Register Kiali as a client application in your OpenId Server." This is a mistake in the docs.

When you create an AKS cluster and you enable Azure AD integration, this should automatically create an App in your Azure AD configuration.
You should NOT create a new App for Kiali. Instead, please re-use the automatically created App by adding the Kiali URL as an authorized callback.  Then, configure Kiali using the client-id, client secret, etc for this automatically created AzureAD app.

I hope this works for fixing your setup.

I'll fix the docs.

[Bruno Macedo]

Hey Edgar,

Actually that was my test case. I used the oauth application that was associated with the k8s cluster. I will try another approach, if you have any other aidea