Issue: Enable or describe how to use the Entraid provider behind a proxy

[melfacion]

Is there an existing issue for this?

• I have searched the existing issues and found none that matched mine

Describe the issue

When installing authd and the entra snap on a computer that does not have direct internet access, there is no description on how to add a proxy for reaching microsoft/entra.

Produces the following error in the entraid log:
"could not create broker with provided issuer and client ID"

Where does the issue happens

• I can reproduce the issue in the graphical display manager
• I can reproduce the issue on a terminal with "login"

Steps to reproduce it

1: Install Ubuntu in an isolated network with only access to internet through (http) proxy server
2: export http_proxy and https_proxy values to allow adding of PPA
3: Add PPA and install authd
4: Set proxy values for snap to allow snap installation through proxy
5: Install EntraID snap
6: Configure according to installation guide / wiki
7: See results in "journalctl -u snap.authd-msentraid.authd-msentraid.service"

System information and logs

Environment

• broker version: please run snap info authd-msentraid

name:      authd-msentraid
summary:   MSEntra ID broker for authd
publisher: Canonical✓
store-url: https://snapcraft.io/authd-msentraid
license:   GPL-3.0
description: |
  This is the MS Entra ID broker snap for authd  to provide MS Entra ID OIDC based authentication on
  Ubuntu with authd.
services:
  authd-msentraid: simple, enabled, inactive
snap-id:      vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking:     0.x/stable
refresh-date: today at 13:53 CEST
channels:
  0.x/stable:    0.1 2024-07-18 (10) 17MB -
  0.x/candidate: ↑
  0.x/beta:      ↑
  0.x/edge:      0.1 2024-07-25 (26) 17MB -
installed:       0.1            (10) 17MB -

• authd version: please run /usr/libexec/authd version

authd   0.3.1~ppa4

• gnome shell version: please run apt policy gnome-shell

N/A

• Distribution: (NAME in /etc/os-release)
• Distribution version: (VERSION_ID on /etc/os-release):

PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble

Log files

Please redact/remove sensitive information:

Authd entries:

Aug 01 13:41:36 <hostname> systemd[1]: Starting authd.service - Authd daemon service...
Aug 01 13:41:36 <hostname> authd[21199]: WARNING Broker configuration directory "/etc/authd/brokers.d/" does not exist, only local broker will be available
Aug 01 13:41:36 <hostname> systemd[1]: Started authd.service - Authd daemon service.
Aug 01 14:01:01 <hostname> systemd[1]: Stopping authd.service - Authd daemon service...
Aug 01 14:01:01 <hostname> systemd[1]: authd.service: Deactivated successfully.
Aug 01 14:01:01 <hostname> systemd[1]: Stopped authd.service - Authd daemon service.
Aug 01 14:01:01 <hostname> systemd[1]: Starting authd.service - Authd daemon service...
Aug 01 14:01:01 <hostname> systemd[1]: Started authd.service - Authd daemon service.

MS Entra ID broker entries:

Aug 01 13:53:08 <hostname> systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 01 13:53:09 <hostname> authd-msentraid.authd-msentraid[22349]: time=2024-08-01T13:53:09.544+02:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/%3CISSUER_ID%3E/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 01 13:53:09 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 01 13:53:09 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:09 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 1.
Aug 01 13:53:09 <hostname> systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 01 13:53:09 <hostname> authd-msentraid.authd-msentraid[22381]: time=2024-08-01T13:53:09.905+02:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/%3CISSUER_ID%3E/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 01 13:53:09 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 01 13:53:09 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 2.
Aug 01 13:53:10 <hostname> systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 01 13:53:10 <hostname> authd-msentraid.authd-msentraid[22412]: time=2024-08-01T13:53:10.378+02:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/%3CISSUER_ID%3E/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 3.
Aug 01 13:53:10 <hostname> systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 01 13:53:10 <hostname> authd-msentraid.authd-msentraid[22438]: time=2024-08-01T13:53:10.827+02:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/%3CISSUER_ID%3E/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:10 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 4.
Aug 01 13:53:10 <hostname> systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
Aug 01 13:53:11 <hostname> authd-msentraid.authd-msentraid[22464]: time=2024-08-01T13:53:11.144+02:00 level=ERROR msg="could not create broker with provided issuer and client ID: Get \"https://login.microsoftonline.com/%3CISSUER_ID%3E/v2.0/.well-known/openid-configuration\": dial tcp: lookup login.microsoftonline.com on 127.0.0.53:53: server misbehaving"
Aug 01 13:53:11 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Main process exited, code=exited, status=1/FAILURE
Aug 01 13:53:11 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:11 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Scheduled restart job, restart counter is at 5.
Aug 01 13:53:11 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Start request repeated too quickly.
Aug 01 13:53:11 <hostname> systemd[1]: snap.authd-msentraid.authd-msentraid.service: Failed with result 'exit-code'.
Aug 01 13:53:11 <hostname> systemd[1]: Failed to start snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.

Application settings

Please redact/remove sensitive information:

Broker configuration:

[oidc]
issuer = https://login.microsoftonline.com/<redactedid>/v2.0
client_id = <redactedid>

[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
# home_base_dir = /home

# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
# ssh_allowed_suffixes = @example.com,@anotherexample.com
ssh_allowed_suffixes = @<ourcompany.com>

Broker authd configuration:

# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

Relevant information

Usecase for this need is that external users will authenticate with EntraID OIDC on reverse proxy and a web-based RDP gateway (Apache Guacamole), and we want to use the same authentication on the next hop (that will be using xrdp to connect to the ubuntu terminal server which is on an internal network without direct internet access)

Double check your logs

• I have redacted any sensitive information from the logs

[melfacion]

Workaround: Set system-wide proxy in "/etc/systemd/system.conf"

DefaultEnvironment="FTP_PROXY=http://<proxyip:proxyport>" "HTTPS_PROXY=http://<proxyip:proxyport>" "HTTP_PROXY=http://<proxyip:proxyport>" "NO_PROXY=localhost,127.0.0.0/8,::1" "ftp_proxy=http://<proxyip:proxyport>" "http_proxy=http://<proxyip:proxyport>" "https_proxy=http://<proxyip:proxyport>" "no_proxy=localhost,127.0.0.0/8,::1"