'ServerError (404)' after logging into vFunction Server via Azure OpenID Direct Connect

Overview of the Issue

This issue occurs in the following circumstances:

  1. A vFunction organization configures Azure OpenID Direct Connect (OIDC) by creating the Azure Application, modifying the Server’s server-installation.yaml and running the vFunction Upgrade Script
  2. An Azure user is added to the vFunction Server as an Administrator or as a user who has access to a vFunction App
  3. The user is authorized in the vFunction Server UI as well as to the Azure vFunction Application
  4. The user opens the vFunction Server address in a browser
  5. The user is redirected to login.microsoftonline.com and inputs / selects their email address
  6. Unexpectedly, the user sees a dialog box with ServerError (404) in the vFunction Server UI on the API call api/v1/users/self

Solution

The JSON Web Token (JWT) sent back from Microsoft Entra ID may not include the email address in a field that vFunction can process. vFunction first looks for a parameter named, “email”. If that parameter does not exist, vFunction uses the parameter, “sub” as a secondary option. In some cases, Azure OIDC may send back a hexadecimal string for the, “sub” field rather than an email address. In this case, when vFunction looks up the user in the vFunction database for authorization, the hexadecimal string is not found as a valid user and this 404 error is generated.

Take the following steps to verify and fix this point of failure:

  1. Reproduce the issue in the vFunction Server UI with the F12 Developer’s Console open
  2. Find the API call generating the 404 error: api/v1/users/self
  3. In the Request Headers, find the Authorization field. The Value for this Key will start as, “Bearer ____” with a very long encrypted string. Copy this string
  4. Open a JSON Web Token (JWT) Debugger
  5. Paste the string into the Encoded Value field. Note that, in some browsers, you may need to Right-Click > Copy Value the Authorization Value in the vFunction Server UI as additional line break characters may be added if you drag-to-Select then Control +C Copy
  6. Review the Decoded Payload field to confirm that the Key, “email” exists or that the field, “sub** returns an email address. Find a problematic JWT Token below as an example that does not include the, “email” Key nor a valid email address in the, “sub” field:
{
  "aud": "REMOVED_ID",
  "iss": "https://login.microsoftonline.com/REMOVED_ID/v2.0",
  "iat": 1764814425,
  "nbf": 1764814425,
  "exp": 1764818325,
  "name": "petertest2",
  "oid": "REMOVED_ID",
  "preferred_username": "petertest2@vfunction.onmicrosoft.com",
  "rh": "1.ASEA7vJi36sMU0GpbaO74MqyemLsBXo3r4dEtuatzWCyBYyGAMYhAA.",
  "sid": "REMOVED_ID",
  "sub": "upkyl0AlirfQM7Gqr-0o01vM0QS4T35Qlo3Gn-nvKks",
  "tid": "REMOVED_ID",
  "uti": "WI15AUZRR0-yctrGcBY3AQ",
  "ver": "2.0"
}
  1. As an Azure Administrator, open Microsoft Entra ID’s Admin Console’s Users section
  2. Select and then Edit the User seeing the vFunction 404 ServerError
  3. Add the user’s email address to the Contact Information > Email, then Save the changes

Entra ID Contact Information’s Email

  1. Ask the user to login again to the vFunction Server UI

Updated on 04 Dec 2025