Last Updated: Nov 12, 2024
Overview
The below error is seen when entering the Issuer URL for their OIDC enterprise connection:
No valid OpenID Connect metadata was found at the provided url
The network traffic in the dashboard shows a request to /api/oidc/lookup with this error message:
discovery_url: "https://{IDP_DOMAIN}/.well-known/openid-configuration"
found: false
lastError: "Error: write EPROTO C0A79D9C097F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:\n"
message: "No valid OpenID Connect metadata was found at the provided url"
Applies To
- OIDC
- Enterprise Connection
Cause
- The issuer URL request is failing because the IdP does not seem to support secure renegotiation. Auth0 has recently upgraded our repos responsible for making this request to Node v18 (since the previous versions were approaching EOL later in 2023). As part of the upgrade, the OpenSSL lib was upgraded to 3.0 and the option SSL_OP_LEGACY_SERVER_CONNECT in the OpenSSL library went from enabled by default in version 1.1.1 to disabled by default in OpenSSL 3.0 (this is necessary for security as it addresses a vulnerability RFC 5746 ).
- Another possibility is that for the
/.well-known/openid-configurationrequest, the API is returning a response with a header that has some value with a character that was not allowed.
Solution
The IdP would need to upgrade its endpoint to be compliant with the security spec (Secure Renegotiation).