OAID logging

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ggobbo
    Junior Member
    • Sep 2025
    • 4
    #1

    OAID logging

    Hello everybody,

    I have set up Oauth authentication (on prem instance) with Azure that, from its side, looks ok.
    At the end of the process I get a " Failed to log in" and il the auth log I get:
    **oidc 192.168.201.3 Invalid credentials Today 14:06:22

    I tied to set the internal log to the DEBUG level to spot what's wrong but all I can get is:
    [2025-09-26 11:54:42] WARNING: OIDC: Token request error.; Status: 0; Response:

    That doesn't help me much. I am stuck because I can't get much info aout of it.

    Any help is greatly appreciated,
    G
    Tags: None
    • lazovic
      Super Moderator
      • Jan 2022
      • 1167
      #2
      Hi ggobbo,

      Please tell me, do you want to log in as an existing user or create a new one?

      If you want to log in as an existing user, make sure the Username Claim field in Administration > Authentication > OIDC is set to email, and your username in the EspoCRM instance itself is an email address.

        Comment

        • ggobbo
          Junior Member
          • Sep 2025
          • 4
          #3
          I have set the Create User flag, so I assumed that a new user should be created on authentication, if not already present.

          I can try setting up a user first....

            Comment

            • lazovic
              Super Moderator
              • Jan 2022
              • 1167
              #4
              ggobbo,

              You might find these correct steps for setting up the OIDC for your EspoCRM instance useful if you're using Azure (Entra):
              1. In Azure (Entra), create a new App registration with the following Redirect URI: https://{ESPO_URI}/oauth-callback.php
              2. For this App registration, create a Client Secret.
              3. Use the following information to fill in the OIDC information in your EspoCRM instance > Administration > Authentication > OIDC:

                Client ID: copy from your app registration in Azure (Entra)
                Client Secret: copy from your app registration Azure (Entra)

                Authorization Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize
                Token Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
                JWKS Endpoint: https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys

                Username Claim: email
              {TENANT_ID} you can copy also from your app registration in Azure (Entra).

                Comment

                • ggobbo
                  Junior Member
                  • Sep 2025
                  • 4
                  #5
                  Originally posted by lazovic
                  ggobbo,

                  You might find these correct steps for setting up the OIDC for your EspoCRM instance useful if you're using Azure (Entra):
                  1. In Azure (Entra), create a new App registration with the following Redirect URI: https://{ESPO_URI}/oauth-callback.php
                  2. For this App registration, create a Client Secret.
                  3. Use the following information to fill in the OIDC information in your EspoCRM instance > Administration > Authentication > OIDC:

                    Client ID: copy from your app registration in Azure (Entra)
                    Client Secret: copy from your app registration Azure (Entra)

                    Authorization Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize
                    Token Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
                    JWKS Endpoint: https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys

                    Username Claim: email
                  {TENANT_ID} you can copy also from your app registration in Azure (Entra).

                  Yes. I was already there. Something fails on the last steps.

                  I just need to get more logging to understand what's going wrong. It looks like I can't get more than "[2025-09-26 11:54:42] WARNING: OIDC: Token request error.; Status: 0; Response:"

                  I have already raised config-internal.php to
                  " 'logger' => [
                  'path' => 'data/logs/espo.log',
                  'level' => 'INFO',
                  'rotation' => true,
                  'maxFileNumber' => 30,
                  'printTrace' => true,
                  'databaseHandler' => true,
                  'sql' => false,
                  'sqlFailed' => true
                  ],
                  "

                    Comment

                    • ggobbo
                      Junior Member
                      • Sep 2025
                      • 4
                      #6
                      Thank you all.
                      At the end, part of the handshake was filtered out by the firewall.
                      Now it works
                        👍 1

                        Comment

                        Previous template Next
                        Working...