The internal vs external could be a problem if both addresses are not part of the certificate’s CN or Subject Alternative Name. Also the
redirectURIs should probably point to external address.
The way the Dex authentication works is you come in from
ood0097ca.westeurope.cloudapp.azure.com and then will get redirected likely to
ood0097ca.westeurope.cloudapp.azure.com:5554 for Dex.
You can check your cert with something like
openssl x509 -noout -text -in /etc/ood/dex/ood0097ca.westeurope.cloudapp.azure.com.crt. The
Subject should have one of those internal or external addresses like
CN=ood0097ca.westeurope.cloudapp.azure.com. You will then need to ensure there is a
X509v3 Subject Alternative Name with a value like
If possible you should probably only use the external address with Dex and not use the internal address since the external address is what Dex will see from user requests as well as what it needs to redirect back to. The default behavior of the ood-portal-generator is to use the address from
servername config option and if that’s not defined uses the hosts FQDN. You could try adding this to