I connected this morning, to 2 different Pritunl Enterprise servers on different sides of the US.
Later in the day I got notification that any time anyone tried to connect, it was asking them to request permissions.
Every time I connect with a global administrator account, it asks me to consent.
I created a new registration and tried that - exactly same thing.
Frantically trying to find some kind of fix for this.
The Azure OAuth 2.0 was activated today, this is expected. With the new OAuth all sign-ons require the additional prompt.
Are there any docs on what we need to do? My users can’t connect no matter what. They are getting prompted to request permissions, it’s being automatically granted, but they can’t connect. And I am being asked to consent on every login.
Deleted as it was wrong
I rolled back the OAuth API, I will add an option to manually select the new version instead. This was rolled back at 4:17PM, it was likely this that fixed the issue instead of that option. If you want to test the new API first run sudo pritunl get app.sso_azure_region to find what region is currently configured then run sudo pritunl set app.sso_azure_region '"global2"'. This can be reverted by changing it back to the original region.
Microsoft will likely discontinue that API in the future. The only significant errors I see in the logs are showing error_description=AADSTS65004:+User+declined+to+consent+to+access+the+app. It’s possible the way you were automatically granting the prompt wasn’t working.
Also what Azure Region and Azure API Version in the top right settings did you have configured?
With the API rolled back now I don’t see any noticeable correlation in the error count between the versions. I may still continue with the update sometime in the next few weeks. The sudo pritunl set app.sso_azure_region '"global2"' option will remain available to test the new API to find issues before it is rolled out. Additionally sudo pritunl set app.sso_azure_region '"global1"' has been added, this will force the OAuth v1 API.
You’re right. I tried checking “Access tokens (used for implicit flows)” again and wait a few minutes, and it still connects fine. So that definitely wasn’t the fix. And the 4:17PM time frame was definitely right before I had tested it successfully.
You will need to run sudo pritunl set app.sso_azure_region '"global1"' to keep the server on the OAuth v1. Even on the weekend there were a sufficient number of Azure requests while v2 was active to see that there weren’t any widespread issues. The new v2 OAuth will eventually be active by default.
We’re on v1.30.3354.99
Is it important that we get this upgraded before we mess around with this?
I don’t think any changes have been made to the Azure single sign-on code between that release and the latest release. The primary changes in the v1.32 release is device authentication and the inclusion of a Python 3.9 interpreter.