Azure AD B2C Oauth2 Version Error

Hi,

I’m having an issue setting up the Azure AD login to use Oauth2 from an Azure B2C application.

I think I’ve set-up everything right and Grafana is receiving the Token but after logging into our Azure B2C page and getting redirected to Grafana, it shows this following warning and won’t get past the login page:

Login Failed
AzureAD OAuth: version 1.0 is not supported. Please ensure the auth_url and token_url are set to the v2.0 endpoints.

But my auth_url and token_url are both pointing to version 2.0 of Microsoft’s endpoint.
The debug logs also don’t say much and repeat the same message!

Does anyone have any idea what could be the reason?

Here’s my config for Azure AD:

[auth.azuread]
name = Azure AD
icon = microsoft
enabled = true
allow_sign_up = true
client_id = (Client ID)
client_secret = (Client Secret)
scopes = openid email profile (client_id)
auth_url = https://(Tenant).b2clogin.com/(Tenant).onmicrosoft.com/b2c_1_signupsignin/oauth2/v2.0/authorize
token_url = https://(Tenant).b2clogin.com/(Tenant).onmicrosoft.com/b2c_1_signupsignin/oauth2/v2.0/token
;tls_skip_verify_insecure = true
;email_attribute_path = emails[0]

The rest of the config is default values except the root URL of Grafana running under a sub-path and the Secret key:

[server]
domain = (some.domain).com
root_url = https://(some.domain).com/grafana
[security]
secret_key = (32 normal characters, no symbols)

I am running Grafana [v10.0.0 (81d85ce802)] Docker container on Ubuntu 20.04LTS x64.

The redirect URL in Azre B2C is set as: https://(some.domain).com/grafana/login/azuread

And here’s the debug log:

grafana-grafana-1 | logger=ngalert.multiorg.alertmanager t=2023-06-20T15:40:37.188149193Z level=debug msg=“done synchronizing Alertmanagers for orgs”
grafana-grafana-1 | logger=ngalert.scheduler t=2023-06-20T15:40:40.002117051Z level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
grafana-grafana-1 | logger=ngalert.scheduler t=2023-06-20T15:40:50.003990418Z level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
grafana-grafana-1 | logger=ngalert.state.manager t=2023-06-20T15:40:52.123832343Z level=debug msg=“Recording state cache metrics” now=2023-06-20T15:40:52.123811856Z
grafana-grafana-1 | logger=ngalert.scheduler t=2023-06-20T15:41:00.001361557Z level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
grafana-grafana-1 | logger=ngalert.state.manager t=2023-06-20T15:41:07.12369907Z level=debug msg=“Recording state cache metrics” now=2023-06-20T15:41:07.123679636Z
grafana-grafana-1 | logger=ngalert.scheduler t=2023-06-20T15:41:10.000829423Z level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
grafana-grafana-1 | logger=context userId=0 orgId=0 uname= t=2023-06-20T15:41:12.522485297Z level=info msg=“Request Completed” method=GET path=/login/azuread status=302 remote_addr=10.20.14.1 time_ms=0 duration=929.434µs size=407 referer=https://some.domain.com/grafana/login handler=/login/:name
grafana-grafana-1 | logger=oauth t=2023-06-20T15:41:14.108710208Z level=info msg=“state check” queryState=(Redacted)cookieState=(Redacted)
grafana-grafana-1 | logger=oauth t=2023-06-20T15:41:15.700072913Z level=debug msg=“OAuthLogin: got token” expiry=“2023-06-20 19:41:15.699984066 +0000 UTC m=+15581.004614816” type=Bearer has_refresh_token=false
grafana-grafana-1 | logger=context userId=0 orgId=0 uname= t=2023-06-20T15:41:15.70105472Z level=warn msg=“AzureAD OAuth: version 1.0 is not supported. Please ensure the auth_url and token_url are set to the v2.0 endpoints.”
grafana-grafana-1 | logger=context userId=0 orgId=0 uname= t=2023-06-20T15:41:15.727551888Z level=info msg=“Request Completed” method=GET path=/login/azuread status=302 remote_addr=10.20.14.1 time_ms=1619 duration=1.61989048s size=37 referer=https://some.domain.com/ handler=/login/:name
grafana-grafana-1 | logger=ngalert.scheduler t=2023-06-20T15:41:20.001642032Z level=debug msg=“Alert rules fetched” rulesCount=0 foldersCount=0 updatedRules=0
grafana-grafana-1 | logger=ngalert.state.manager t=2023-06-20T15:41:22.123989415Z level=debug msg=“Recording state cache metrics” now=2023-06-20T15:41:22.123973177Z

Everything seems to be fine and Grafana gets the token but somehow it thinks that the token is version 1 and not version 2. Looking into countless discussions on Microsoft forums turned out that even though you use /oauth2/v2.0/token URL but the Microsoft endpoint answers in the version “requested” by the application, here Grafana, and OAuth2 Version 2 is compatible with Version 1 also and “can” respond to a Version 1 request! I don’t know how accurate this is but maybe Grafana is asking for a Version 1 token and not v2.0?!

This is very confusing. I have no idea where this issue is rooted and the debug logs are not revealing anything.

There is a claim oauthversion, which has version 1 which is a problem in Grafana.

I would try to use standard Grafana oauth authentication, not Azure AD. It looks like AD has implemented strict validation rule. Or use previous Grafana version 9.x where this rule is not implemented.

Thank you,

I disabled the [auth.azuread] and used [auth.generic_oauth] instead and after a few trials and errors it worked.

Here’s the config for anyone interested:

[auth.generic_oauth]
name = Azure AD
icon = microsoft
enabled = true
allow_sign_up = true
;auto_login = false
client_id = (Client ID)
client_secret = (Client Secret)
scopes = openid email profile (Client ID)
;empty_scopes = false
;email_attribute_name = email:primary
email_attribute_path = emails[0]
;role_attribute_strict = false
auth_url = https://(Tenant).b2clogin.com/(Tenant).onmicrosoft.com/b2c_1_signupsignin/oauth2/v2.0/authorize
token_url = https://(Tenant).b2clogin.com/(Tenant).onmicrosoft.com/b2c_1_signupsignin/oauth2/v2.0/token
;tls_skip_verify_insecure = false
;use_pkce = false
;allow_assign_grafana_admin = false
;skip_org_role_sync = false

The ones that I put a " ; " before are the default values that are not empty, the rest of the values are also left intact (empty).

Note that you should also change the Redirect URL in your Azure application to:
https://(some.domain).com/grafana/login/generic_oauth

For the record: generic oauth authentication is valid for AD. Also authorization via role mapping is possible.

I see case for AD auth for specific use case, where user has many roles/groups, so not all of them are returned in the token/userinfo response by AD. That’s non OAuth behaviour in AD, which is covered in AD auth implementation.