vouch-proxy: ADFS error: MSIS9604
Config:
vouch:
logLevel: debug
listen: 0.0.0.0
port: 19090
AllowAllUsers: true
domains:
- example.tld
- ifauth.example.tld
- vouch.example.tld
- adfs.example.tld
cookie:
name: VouchCookie
domain: .example.tld
secure: true
httpOnly: true
headers:
jwt: X-Vouch-Token
querystring: access_token
redirect: X-Vouch-Requested-URI
idToken: X-Vouch-IdP-IdToken
session:
name: VouchSession
jwt:
secret: Dg2t7sSoSm9X_rE8b3p7FP-cl_MZkmxXS4rLRZWi
maxAge: 59
db:
file: /db/vouch_bolt.db
oauth:
provider: adfs
client_id: 9b31f91c-91da-47df-899f-e66c7b9cc2ef
client_secret: Dg2t7sSoSm9X_rE8b3p7FP-cl_MZkmxXS4rLRZWi
auth_url: https://adfs.example.tld/adfs/oauth2/authorize/
token_url: https://adfs.example.tld/adfs/oauth2/token/
scopes:
- email
- profile
- openid
callback_url: https://vouch.example.tld/auth
Debug log:
vouch_1 | {"level":"debug","ts":1580914641.1227398,"msg":"/login"}
vouch_1 | {"level":"debug","ts":1580914641.1227658,"msg":"domain vouch.example.tld matched array value at [1]=vouch.example.tld"}
vouch_1 | {"level":"debug","ts":1580914641.1227777,"msg":"setting the cookie domain to .example.tld"}
vouch_1 | {"level":"debug","ts":1580914641.1227868,"msg":"deleting cookie: VouchCookie"}
vouch_1 | {"level":"debug","ts":1580914641.1229758,"msg":"session state set to 9tQelOybfX2PZG8D4YFD9xpNSSKQI"}
vouch_1 | {"level":"debug","ts":1580914641.1231618,"msg":"session requestedURL set to https://ifauth.example.tld/"}
vouch_1 | {"level":"debug","ts":1580914641.1231718,"msg":"failcount for https://ifauth.example.tld/ is 0"}
vouch_1 | {"level":"debug","ts":1580914641.1231768,"msg":"saving session"}
vouch_1 | {"level":"debug","ts":1580914641.123265,"msg":"redirecting to oauthURL https://adfs.example.tld/adfs/oauth2/authorize/?client_id=9b31f91c-91da-47df-899f-e66c7b9cc2ef&redirect_uri=https%3A%2F%2Fvouch.example.tld%2Fauth&resource=https%3A%2F%2Fvouch.example.tld%2Fauth&response_type=code&scope=email+profile+openid&state=9tQelOybfX2PZG8D4YFD9xpNSSKQI"}
vouch_1 | {"level":"debug","ts":1580914641.1232948,"msg":"CaptureWriter.Write set w.StatusCode 302"}
vouch_1 | {"level":"debug","ts":1580914641.1233146,"msg":"Request handled successfully: 302"}
vouch_1 | {"level":"info","ts":1580914641.123327,"msg":"|302| 578.493µs /login","statusCode":302,"request":44,"latency":0.000578493,"avgLatency":0.008567349,"ipPort":"127.0.0.1:47820","method":"GET","host":"vouch.example.tld","path":"/login","referer":"https://adfs.example.tld/adfs/oauth2/authorize/?client_id=9b31f91c-91da-47df-899f-e66c7b9cc2ef&redirect_uri=https%3A%2F%2Fvouch.example.tld%2Fauth&resource=https%3A%2F%2Fvouch.example.tld%2Fauth&response_type=code&scope=email+profile+openid&state=A9pWyOujA4537ZTYJwVHjzsuUSNd0H43"}
vouch_1 | {"level":"debug","ts":1580914641.2798855,"msg":"Request received : &{GET /auth?error=server_error&error_description=MSIS9604%3a+An+error+occurred.+The+authorization+server+was+not+able+to+fulfill+the+request.&state=9tQelOybfX2PZG8D4YFD9xpNSSKQI&client-request-id=181468d2-825b-475b-b10b-0080020000fd HTTP/1.0 1 0 map[X-Aasaam-Agent-Vendor:[google] Connection:[close] Upgrade-Insecure-Requests:[1] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] X-Real-Ip:[172.18.64.65] Cache-Control:[max-age=0] Sec-Fetch-User:[?1] Referer:[https://adfs.example.tld/adfs/oauth2/authorize/?client_id=9b31f91c-91da-47df-899f-e66c7b9cc2ef&redirect_uri=https%3A%2F%2Fvouch.example.tld%2Fauth&resource=https%3A%2F%2Fvouch.example.tld%2Fauth&response_type=code&scope=email+profile+openid&state=A9pWyOujA4537ZTYJwVHjzsuUSNd0H43] Cookie:[aasaam_cid=AAAAAMLXOl4HAGO2ASw0AA==; VouchSession=MTU4MDkxNDY0MXxEdi1CQkFFQ180SUFBUkFCRUFBQV82WF9nZ0FEQm5OMGNtbHVad3dPQUF4eVpYRjFaWE4wWldSVlVrd0djM1J5YVc1bkRCd0FHbWgwZEhCek9pOHZhV1poZFhSb0xtbDFiWE11WVdNdWFYSXZCbk4wY21sdVp3d2NBQnBvZEhSd2N6b3ZMMmxtWVhWMGFDNXBkVzF6TG1GakxtbHlMd05wYm5RRUFnQUNCbk4wY21sdVp3d0hBQVZ6ZEdGMFpRWnpkSEpwYm1jTUh3QWRPWFJSWld4UGVXSm1XREpRV2tjNFJEUlpSa1E1ZUhCT1UxTkxVVWs9fCMTy1z4jnswgoqxikyW9529Rsbb8CA-U1dwoN_IyIge] X-Forwarded-For:[172.18.64.65] X-Aasaam-Client-Id:[0d443f07] X-Aasaam-Agent-Hash:[807ca0a2] X-Aasaam-Geo-Country-Flag:[🌐] Sec-Fetch-Mode:[navigate] X-Request-Time:[1580914641.278] X-Aasaam-Agent-Category:[pc] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/79.0.3945.79 Chrome/79.0.3945.79 Safari/537.36] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Aasaam-Agent-Version:[79] Sec-Fetch-Site:[same-site] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,fa;q=0.8] X-Aasaam-Agent-Os:[linux] X-Request-Id:[ff60d561ffe9225726e66aceb148d9a3] X-Aasaam-Foreign-Referer-Host:[adfs.example.tld] X-Aasaam-Geo-Default-Lang-Direction:[ltr] X-Forwarded-Host:[vouch.example.tld] X-Aasaam-Client-New:[0] X-Aasaam-Agent-Name:[chrome]] {} <nil> 0 [] true vouch.example.tld map[] map[] <nil> map[] 127.0.0.1:47868 /auth?error=server_error&error_description=MSIS9604%3a+An+error+occurred.+The+authorization+server+was+not+able+to+fulfill+the+request.&state=9tQelOybfX2PZG8D4YFD9xpNSSKQI&client-request-id=181468d2-825b-475b-b10b-0080020000fd <nil> <nil> <nil> 0xc4201b8b70}"}
vouch_1 | {"level":"debug","ts":1580914641.2799928,"msg":"/auth"}
vouch_1 | {"level":"warn","ts":1580914641.2806106,"msg":"/auth Error state: server_error, Error description: MSIS9604: An error occurred. The authorization server was not able to fulfill the request."}
vouch_1 | {"level":"debug","ts":1580914641.2806458,"msg":"CaptureWriter.Write set w.StatusCode 403"}
vouch_1 | {"level":"debug","ts":1580914641.2807608,"msg":"Request handled successfully: 403"}
vouch_1 | {"level":"info","ts":1580914641.2807925,"msg":"|403| 770.249µs /auth","statusCode":403,"request":45,"latency":0.000770249,"avgLatency":0.008394081,"ipPort":"127.0.0.1:47868","method":"GET","host":"vouch.example.tld","path":"/auth","referer":"https://adfs.example.tld/adfs/oauth2/authorize/?client_id=9b31f91c-91da-47df-899f-e66c7b9cc2ef&redirect_uri=https%3A%2F%2Fvouch.example.tld%2Fauth&resource=https%3A%2F%2Fvouch.example.tld%2Fauth&response_type=code&scope=email+profile+openid&state=A9pWyOujA4537ZTYJwVHjzsuUSNd0H43"}
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 27 (15 by maintainers)
Commits related to this issue
- #206 return errors from ADFS user call — committed to vouch/vouch-proxy by bnfinet 4 years ago
- #206 return errors from ADFS user call — committed to vouch/vouch-proxy by bnfinet 4 years ago
@mhf-ir pleaes post your full logs and updated VP config and nginx config and please turn on testing 😃
thanks, and how about the VP logs for a full round trip when using those configs?
Yes. That’s exactly right.
Check out the config example. Set the domain in your cookie area as the main domain. Sub domains are included automatically.
The domain shouldn’t start with a period. Just example.tld is fine.