Issue: If token has expired it should prompt for Entra Login again and provide useful message instead of just failing local password

[valluwtf]

Is there an existing issue for this?

• I have searched the existing issues and found none that matched mine

Describe the issue

I can successfully login and set a local password. In our Entra application, the token validity is set to only a few hours for testing purposes - so when I try to login on the next day, I get the prompt for local password which is no longer working (which makes sense) and journalctl tells me that my token is invalid. If i type 'r', I can get to the devicelogin again to create a new password.

It would be a lot more useful though, if in this case, I get prompted with a new Entra Login code to authenticate again immediately or at least get a more helpful message instead of 'authentication failure: could not load cached info' which is btw the exact same message I get when I actually have a typo in my password.

// All of this is on ssh login only, no idea what the behaviour is on GDM but I guess it would be similar

Steps to reproduce

When logging in via ssh after a period of time in which the entra token has become invalid, I get asked for my local password on login which does not exist anymore and therefore does not work.

System information and logs

authd version

authd   0.3.5~24.04

authd-msentraid broker version

name:      authd-msentraid
summary:   MSEntra ID broker for authd
publisher: Canonical**
store-url: https://snapcraft.io/authd-msentraid
license:   GPL-3.0
description: |
  This is the MS Entra ID broker snap for authd  to provide MS Entra ID OIDC
  based authentication on Ubuntu with authd.
services:
  authd-msentraid: simple, enabled, active
snap-id:      vS3oJLMss6lgWwoFcPqYDUA2HB20I1Dc
tracking:     0.x/edge
refresh-date: yesterday at 21:55 CEST
channels:
  0.x/stable:    0.1+4fe9826.0f76acc 2024-10-02 (51) 18MB -
  0.x/candidate: ^
  0.x/beta:      ^
  0.x/edge:      0.1+0b5d024.21625c4 2024-10-07 (52) 18MB -
installed:       0.1+0b5d024.21625c4            (52) 18MB -

gnome-shell version

gnome-shell:
  Installed: (none)
  Candidate: 46.3.1-1ubuntu1~24.04.1authd2
  Version table:
     46.3.1-1ubuntu1~24.04.1authd2 500
        500 https://ppa.launchpadcontent.net/ubuntu-enterprise-desktop/authd-edge/ubuntu noble/main amd64 Packages
     46.0-0ubuntu6~24.04.5 500
        500 http://de.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
     46.0-0ubuntu6~24.04.3 500
        500 http://de.archive.ubuntu.com/ubuntu noble-security/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
     46.0-0ubuntu5 500
        500 http://de.archive.ubuntu.com/ubuntu noble/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages

Distribution

Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:    24.04
Codename:   noble

Logs

[    7.061633] vs-052457 systemd[1]: Started snap.authd-msentraid.authd-msentraid.service - Service for snap application authd-msentraid.authd-msentraid.
[    7.175212] vs-052457 systemd[1]: Starting authd.service - Authd daemon service...
[    7.488295] vs-052457 systemd[1]: Started authd.service - Authd daemon service.
[    8.471376] vs-052457 authd[857]: 2024/10/07 14:15:54 WARN rpc error: code = NotFound desc =
[   19.681815] vs-052457 authd[857]: 2024/10/07 14:16:05 WARN rpc error: code = InvalidArgument desc = no user name provided
[   20.021500] vs-052457 authd[857]: 2024/10/07 14:16:05 WARN rpc error: code = InvalidArgument desc = no user name provided
[   75.536358] vs-052457 authd[857]: 2024/10/07 14:17:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[  555.571496] vs-052457 authd[857]: 2024/10/07 14:25:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 1155.604915] vs-052457 authd[857]: 2024/10/07 14:35:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 1755.640304] vs-052457 authd[857]: 2024/10/07 14:45:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 2355.675536] vs-052457 authd[857]: 2024/10/07 14:55:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[ 2775.710532] vs-052457 authd[857]: 2024/10/07 15:02:01 WARN rpc error: code = InvalidArgument desc = no user name provided
.....lots of the above......
[73156.000925] vs-052457 authd[857]: 2024/10/08 10:35:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[73756.026389] vs-052457 authd[857]: 2024/10/08 10:45:01 WARN rpc error: code = InvalidArgument desc = no user name provided
[74034.119164] vs-052457 authd-msentraid.authd-msentraid[21811]: time=2024-10-08T10:49:39.814+02:00 level=ERROR msg="could not refresh token: oauth2: \"invalid_grant\" \"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2024-09-24T08:05:02.7019969Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2024-09-24T10:05:05.0000000Z'. Trace ID: <UUID redacted> Correlation ID: <UUID redacted> Timestamp: 2024-10-08 08:49:39Z\" \"https://login.microsoftonline.com/error?code=50173\""
[74036.749430] vs-052457 authd-msentraid.authd-msentraid[21811]: time=2024-10-08T10:49:42.444+02:00 level=ERROR msg="could not refresh token: oauth2: \"invalid_grant\" \"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2024-09-24T08:05:02.7019969Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2024-09-24T10:05:05.0000000Z'. Trace ID: <UUID redacted> Correlation ID: <UUID redacted> Timestamp: 2024-10-08 08:49:42Z\" \"https://login.microsoftonline.com/error?code=50173\""

authd broker configuration

/etc/authd/brokers.d/msentraid.conf

# This section is used by authd to identify and communicate with the broker.
# It should not be edited.
[authd]
name = Microsoft Entra ID
brand_icon = /snap/authd-msentraid/current/broker_icon.png
dbus_name = com.ubuntu.authd.MSEntraID
dbus_object = /com/ubuntu/authd/MSEntraID

authd-msentraid configuration

[oidc]
issuer = https://login.microsoftonline.com/<UUID redacted>/v2.0
client_id = <UUID redacted>

[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
home_base_dir = /home

# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
ssh_allowed_suffixes = @<domain redacted>

Double check your logs

• I have redacted any sensitive information from the logs

[didrocks]

Thanks for reporting this bug on authd and helping to make it better!

You are right, we should reask for device authentication if the local password was correct, but the token was expired.

However, there is also all the case of "I’m logging offline for many months" to take into account, we need to carefully design this. Adding it to the backlog.

[aussielunix]

I had this issue too.

I ssh'd in and used the r to expire the token.
This worked however, as a surprise, I had a new UID/GID so my $HOME was no longer mine.

[adombeck]

hi @aussielunix, sorry for the late reply

I ssh'd in and used the r to expire the token.
This worked however, as a surprise, I had a new UID/GID so my $HOME was no longer mine.

That's #562. It's fixed in the latest version. If you didn't change the owner and group of your home directory yet, there will be warning messages printed to the journal when you log in (check sudo journalctl -u authd.service) which include the commands you can run to fix the owner and group manually.