2023.10.6 - "Please select a username" after Azure AD login

[pgodzwa]

Describe your question/

Is it now a expected behavior in 2023.10.6 version to ask every user for username input after logging in with azure ad?

In previous versions it was simply authenticating without any prompt, using email address from Azure AD as username.

Now it expects user to input username (and it leads to duplicated accounts, because users with mail as username already exist), and if you enter already existing mail as username it shows error:

I think it can be related to this fix:
#7970

Is it possible somehow to set this username automatically, or revert back to using email address so old user accounts will work again?

Version and Deployment (please complete the following information):

• authentik version: 2023.10.6
• Deployment: helm

[CyB0rgg]

This is unfortunately due to the bug that still exists in .6, see #7972 (comment)
After successful AD login it redirects to the enrolment flow for some reason.

[CyB0rgg]

This does not fix anything, I am afraid. It is now back to the:

When can we have a real fix for it please ?

[CyB0rgg]

Just to add a bit of the background. With the latest cherry-picked 2023-10 , when adding AzureAD social login it is still saving in DB the new profile URL - https://login.microsoftonline.com/common/openid/userinfo - despite the initial URL being different after the reversing PR was merged. The only way to be able to control what is saved into the DB is to use the generic openid (which used to work as a workaround for some a couple of versions ago when filled with the Azure URLs). When using the new profile URL it authenticates and then goes back to the enrollment flow, when using old url it shows "could not determine id". Each and every time the Azure AD log shows succesful authentication.

[CyB0rgg]

Close, but still no cigar. After latest patches it can now retrieve the ID but still fails with the same error immediately:

@BeryJu if you don't have the access to the AzureAD (Entra) for testing I can help with testing of a fix branch before you merge. Super keen on getting this to work again as soon as possible.

Also worth mentioning - after filling in the well-know field it does not automatically populate / overwrite the auth/access/profile fields. Despite JWKS URL being left empty it still automatically fills it in and pulls the raw key.

[pgodzwa]

@BeryJu unfortunately it's still not fixed in the latest release - it still asks for username after Azure AD login.

[tograss]

I found a working solution. See BeryJu's tipp in #8342 . Key idea is to build a custom enrollment / login flow, with a policy that assigns user information from oauth_data to prompt data. If you then ask for missing information or error out is a matter of preference.