UBA Error while using OIDC to Azure

Development Pipeline & Plugins
, ,
1

We recently setup Azure for OIDC auth for horde. Unreal toolbox and horde server are working as expected but each time we attempt to build we recieve the following.

Server log:

OIDC config mismatch: Command-line auth requires a public OAuth/OIDC client, but a confidential client is configured (OidcClientSecret is set). This will prevent Horde's C# client from signing in and block usage of Unreal Build Accelerator. To fix: Configure your OAuth/OIDC client as public (SPA/mobile/desktop) and remove the client secret

UBA Logs

Using Unreal Build Accelerator executor to run 5008 action(s)
12>Horde URL: https://horde0.{PROJECT}./, Pool: Win-UE5, Cluster: (none), Condition: (none), Connection: (none), HordeEncryption: (none)
12> Storage capacity 40Gb
12>---- Starting trace: 260216_163546_vs51120 ----
12>UbaServer - Listening on 0.0.0.0:1345
12>------ Building 5008 action(s) started ------
12>Logging in to https://horde0.{PROJECT}./...
12>** For {PROJECT}Editor-Win64-Development **
12>Horde server: 5.6.1-18272, agent: 5.6.1-18272
12>Created tool bundle with locator 1221501dc076491fbebe669063d482f0_1#pkt=0,1735&exp=1
12>Horde cluster resolved as 'default'
12>Unable to get worker: EpicGames.Horde.Compute.ComputeClientException: Bad authentication credentials. Check or refresh token. (HTTP status Unauthorized, response: )
12>
12>  at EpicGames.Horde.Compute.Clients.ServerComputeClient.ConnectAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, ILogger workerLogger, CancellationToken cancellationToken)+MoveNext() in D:\Dev\{PROJECT}_main\Engine\Source\Programs\Shared\EpicGames.Horde\Compute\Clients\ServerComputeClient.cs:line 313
12>
12>  at EpicGames.Horde.Compute.Clients.ServerComputeClient.ConnectAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, ILogger workerLogger, CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
12>
12>  at EpicGames.Horde.Compute.Clients.ServerComputeClient.TryAssignWorkerAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, ILogger logger, CancellationToken cancellationToken) in D:\Dev\{PROJECT}_main\Engine\Source\Programs\Shared\EpicGames.Horde\Compute\Clients\ServerComputeClient.cs:line 249
12>
12>  at UnrealBuildTool.UBAHordeSession.AddWorkerAsync(Requirements requirements, UnrealBuildAcceleratorHordeConfig hordeConfig, CancellationToken cancellationToken, Int32 activeCores) in D:\Dev\{PROJECT}_main\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 283
12>
12>  at UnrealBuildTool.UBAHordeSession.AddWorkerAsync(Requirements requirements, UnrealBuildAcceleratorHordeConfig hordeConfig, CancellationToken cancellationToken, Int32 activeCores) in D:\Dev\{PROJECT}_main\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 376
12>
12>  at UnrealBuildTool.UBAAgentCoordinatorHorde.<>c__DisplayClass7_0.<<Start>b__0>d.MoveNext() in D:\Dev\{PROJECT}_main\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 894

Server.json

        "AuthMethod": "OpenIdConnect",
        "OidcAuthority": "https://login.microsoftonline.com/{ID}/v2.0",
        "OidcClientId": "{Clientid}",
        "OidcClientSecret": "{Secret}",
        "OidcSigninRedirect": "https://horde0.{project}/signin-oidc",
        "OidcAudience": "{APPID}",
        "OidcRequestedScopes": ["openid", "email","offline_access","profile"],

[Attachment Removed]

2

Steps to Reproduce
Try to build with UBA

[Attachment Removed]

3

Hey there,

Have you tried the suggested path regarding the config mismatch?

  1. OIDC config mismatch: Command-line auth requires a public OAuth/OIDC client, but a confidential client is configured (OidcClientSecret is set). This will prevent Horde’s C# client from signing in and block usage of Unreal Build Accelerator. To fix: Configure your OAuth/OIDC client as public (SPA/mobile/desktop) and remove the client secret

You’ll likely need to go to the Azure portal, and enable public client flows.

It likely doesn’t apply to this current issue, but we also have another good resource for Horde here. This describes some of the auth flows, and what the different token types can refer to.

Kind regards,

Julian

[Attachment Removed]

4

Hey Julian

Thanks for the response, but yeah we have public client flows enabled, and still hit the same brick wall.

I’ll take a read through the resource you linked tho and see if there is anything there that can help.

Thanks again

[Attachment Removed]

5

Hello, I also spend a lot of time to setup Azure SSO, one things that may be the issue is “OidcClientSecret” that is not necessary if public client, but can cause Horde to have a non expected behavior.

Also, pay attention that by default on Azure dashboard, Authroity v2 is not used.

You need to edit the graph. You can verify that by decoding your token and check what version is used.

Hope this help :slight_smile:

[Attachment Removed]