Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AADSTS50158: External security challenge not satisfied #111

Open
philthynz opened this issue Jan 19, 2021 · 5 comments
Open

AADSTS50158: External security challenge not satisfied #111

philthynz opened this issue Jan 19, 2021 · 5 comments

Comments

@philthynz
Copy link

philthynz commented Jan 19, 2021

So using this plugin our users are getting directed to Azure SSO, and after signing in they are redirected to the page "You're not authorized to access this page".

The web error log has:

2021.01.19 00:24:08 ERROR web[AXcWdB0cnQiTNP9tAAjM][o.a.a.a.AadIdentityProvider] Exception:java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.\r\nTrace ID: 31a1a782-2187-4e62-ba2b-9ac9ad709100\r\nCorrelation ID: ca367647-911e-4ac3-aba5-6fdb26473bc2\r\nTimestamp: 2021-01-19 00:24:08Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50158"}

We've seen this error in every browser. It may be worth noting that some users have a different domain in their UPN, however I don't think it matters.

We have checked in Azure and have seen the user logins are successful, even with MFA. Is it possible this plugin is not receiving the correct information back from Azure that the user login was successful?

@srvrguy
Copy link
Collaborator

srvrguy commented Jan 19, 2021

As best as I can determine, this is an issue when using conditional access with multi-factor auth. The error message is from Azure itself.

@philthynz
Copy link
Author

I will take a look at those. But it seems strange for it to be working for other apps that have implement sso. It's just this plugin that's not working. It seems related to AzureAD/microsoft-authentication-library-for-js#617

@philthynz
Copy link
Author

@srvrguy We have checked our conditional access to policy. It simply says outside our known locations to require MFA.

I did some more testing...

From a normal internet connection, not our office (outside our known locations). If I use a private browser, and go to our sonarqube website, the login does not redirect to MFA. However in the same session if I go to the office portal, it immediately asks for MFA. Then refreshing the sonarqube website in the same browser session let's me in.

In the same location, if I open a private browser, and first go to office portal, sign in with MFA, then open our sonarqube website it lets me in.

So, the issue seems to be this plugin, or some config that has not been specified in the documentation. Where the plugin does not redirect to the MFA site to get a token.

@srvrguy
Copy link
Collaborator

srvrguy commented Jan 19, 2021

Yes, that seems to be the cause. However, I don't have a configuration that can reproduce the problem, and even with MFA enabled by default when not using conditional access, I can't reproduce the issue. Note that I'm not using anything "fancy" like external MFA or ADFS or similar, and am not set up to test those flows.

The plugin itself doesn't really have the responsibility for redirecting for MFA. We hand off auth to login.microsoftonline.com (or the specific regional cloud if it's set) to handle authentication and then redirect back to SonarQube with an access token. It's the basic OAuth flow MS documents. Now, it's possible that this is an issue with the flow as implemented by the underlying ADAL4J library. That library is deprecated and the replacement of ADAL4J contains a lot of stuff this plugin doesn't need. I'm working on replacing it with the much simpler ScribeJava library, but due to various work and personal demands progress has been slow.

If you need something that will work immediately, you could try SonarQube's built-in SAML support. It's not quite as simple as this plugin, but it may fit your needs.

@philthynz
Copy link
Author

philthynz commented Jan 19, 2021

@srvrguy Thanks, really appreciate the feedback!

Yes, SAML will be our fallback, this plugin is our preferred method because it includes group and user provisioning.

Apparently that ADAL4J library does support conditional access:

image

Just looking at the examples from here, it includes some more logic to handle when the user doesn't have a token.

Is it possible this plugin can be updated to include some logic for conditional access? I understand that might be hard because you don't have any testing environment with conditional access enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants