Summary
After an LXD daemon restart, OIDC login started returning 404 even though the OIDC configuration was still present and lxc info still listed oidc under auth_methods.
The issue was fixed by changing oidc.scopes and then setting it back, which appears to force LXD to recreate the OIDC verifier.
Environment
LXD version: 6.7
MicroCloud version: 3.2
Ubuntu: 22.04
Deployment: clustered LXD / MicroCloud
OIDC provider: Authentik (lxc container in the cluster itself)
Access path: reverse proxy in front of LXD HTTPS API/UI (nginx npm lxc container in the cluster itself, properly forwarded)
OIDC config was still present
lxc config show | grep -i oidc
Output:
oidc.audience: <client-id>
oidc.client.id: <client-id>
oidc.issuer: https://<auth-domain>/application/o/microcloud/
oidc.scopes: openid email profile
lxc info also showed:
auth_methods:
- tls
- bearer
- oidc
Actual behavior
The LXD API was reachable, but OIDC endpoints returned 404:
curl -vkI https://<lxd-domain>/
curl -vkI https://<lxd-domain>/1.0
curl -vkI https://<lxd-domain>/oidc/login
curl -vkI https://<lxd-domain>/oidc/callback
Observed:
/ -> HTTP 200
/1.0 -> HTTP 403
/oidc/login -> HTTP 404
/oidc/callback -> HTTP 404
Relevant log
Failed to setup OIDC verifier
err="Failed to ensure new verifier's configuration: Failed to get OIDC relying party: OpenID Provider Configuration Discovery has failed
Get \"https://<auth-domain>/application/o/microcloud/.well-known/openid-configuration\":
Unable to connect to: <auth-domain>:443 ([dial tcp <proxy-ip>:443: connect: no route to host])"
This happened during daemon startup when the OIDC provider/reverse proxy was temporarily unreachable.
Workaround
After the OIDC provider became reachable again, resetting an OIDC config value fixed the issue:
lxc config set oidc.scopes "openid email"
lxc config set oidc.scopes "openid email profile"
After that:
curl -vkI https://<lxd-domain>/oidc/login
returned:
HTTP 302
location: https://<auth-domain>/application/o/authorize/...
Expected behavior
If OIDC discovery fails during daemon startup, LXD should either retry discovery later or return a clear diagnostic error from /oidc/login.
Returning 404 is confusing because the OIDC config is still present and auth_methods still advertises oidc.
Suggested improvement
It would be helpful if LXD treated OIDC verifier setup as recoverable and retried discovery after startup failure, or lazily initialized the verifier when /oidc/login is requested.
Summary
After an LXD daemon restart, OIDC login started returning
404even though the OIDC configuration was still present andlxc infostill listedoidcunderauth_methods.The issue was fixed by changing
oidc.scopesand then setting it back, which appears to force LXD to recreate the OIDC verifier.Environment
OIDC config was still present
lxc config show | grep -i oidcOutput:
lxc infoalso showed:Actual behavior
The LXD API was reachable, but OIDC endpoints returned 404:
Observed:
Relevant log
This happened during daemon startup when the OIDC provider/reverse proxy was temporarily unreachable.
Workaround
After the OIDC provider became reachable again, resetting an OIDC config value fixed the issue:
After that:
returned:
Expected behavior
If OIDC discovery fails during daemon startup, LXD should either retry discovery later or return a clear diagnostic error from
/oidc/login.Returning
404is confusing because the OIDC config is still present andauth_methodsstill advertisesoidc.Suggested improvement
It would be helpful if LXD treated OIDC verifier setup as recoverable and retried discovery after startup failure, or lazily initialized the verifier when
/oidc/loginis requested.