Configuring OpenID on Azure

[Vineeth-varma]

I am using Kiali-operator deployment. I just want to know how to make it https as for AzureAD integration we need https://:. I am not using Openshift. I am using k8's.

Help would be really appreciated.

[jmazzitelli]

(this is not a bug - moving to Q&A Discussions)

Take a look at the spec.server settings in the Kiali CR.

[jmazzitelli]

Also, you want to look at the spec.identity section. https://github.com/kiali/kiali-operator/blob/v1.45.1/deploy/kiali/kiali_cr.yaml#L778-L795

The custom_secrets section may also be useful: https://github.com/kiali/kiali-operator/blob/v1.45.1/deploy/kiali/kiali_cr.yaml#L215-L229

[Vineeth-varma]

(jmazzitelli updated this to add the triple-backticks to properly format the yaml below)

yes SSL is working fine. But I am facing issue with Azure AD. My Azure AD spec is:

    auth:
      strategy: "openid"
      openid:
        client_id: "<client_ID>"
        issuer_uri: "https://login.microsoftonline.com/<tenant_ID>/v2.0"
        api_token: access_token
        authentication_timeout: 300
        username_claim: "preferred_username"
        scopes:
        - "openid"
        - "profile"
        - "email"
        password: secret:kiali:oidc-secret

I am facing issue like "Authentication failed: Token is not valid or is expired: Unauthorized"

[jmazzitelli]

I am facing issue like "Authentication failed: Token is not valid or is expired: Unauthorized"

OK, then this isn't related to https... it is related to OpenID authentication. We have some information somewhere about setting up OpenID on Azure. Did you search the github issues and discussions? @israel-hdez might also have some pointers. I thought we wrote something up in the kiali.io docs for Azure openid configuration, but I'm not sure.

[israel-hdez]

I do not see the additional_request_params that are mentioned in the kiali docs. Perhaps, that's the missing config.

[Vineeth-varma]

Yes I am following the official kiali.io page, but still I am facing the issue.

[jmazzitelli]

I updated the title of this discussion to properly reflect the true subject of the discussion.

I would say follow this: https://kiali.io/docs/configuration/authentication/openid/#using-with-azure-aks-and-aad

If that does not work, you will have to provide some additional details about what on that page doesn't work. We do not have much expertise on the Azure platform, so we may not be able to help. If you find out what the issue is and fix it, and you think the docs can be improved, please submit a PR to the kiali.io docs with your suggested updates.

cc @israel-hdez

[jshaughn]

This is reposted here from #5707. cc @claudiuavat1

We have configured an Azure AD application and we are stuck at the step where Kiali has to process the authorization code.

The redirect from Azure AD looks to be correct:
https://login.microsoftonline.com//oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https:///kiali&scope=openid+profile+email&nonce=<...>&state=<..>&sso_reload=true
-> https:///kiali?code=0.ARI......&state=<...>&session_state=<...>

But the login fails in the UI with Authentication failed: request failed (HTTP response status = 401 Unauthorized), while the service logs show only this error ERR Not handling OpenId code flow authentication: no authorization code is present.

Kiali version: v1.59.0

The auth configuration we are using:

strategy: "openid"
openid:
api_token: "access_token"
client_id: ""
disable_rbac: true
http_proxy: "<corporate_proxy>"
https_proxy: "<corporate_proxy>"
insecure_skip_verify_tls: true
password: secret::oidc-secret
authentication_timeout: 300
authorization_endpoint: "https://login.microsoftonline.com//oauth2/v2.0/authorize"
token_endpoint: "https://login.microsoftonline.com//oauth2/v2.0/token"
issuer_uri: "https://login.microsoftonline.com//v2.0"
scopes:

• openid
• profile
• email
  username_claim: "preffered_username"
  I also tested with web_fqdn, web_schema and web_port, but it appears the values are autodetected correctly anyway.

Any help / guidance would be greatly appreciated. Thank you!

cc @israel-hdez

[israel-hdez]

@claudiuavat1 There is a short dedicated section for Azure in the docs, which I recommend you to read: https://kiali.io/docs/configuration/authentication/openid/#using-with-azure-aks-and-aad.

You have set the password and token_endpoint configs, which does not exist in Kiali. So, I recommend you to remove these configs. I also suggest you to remove the authorization_endpoint config as it should be discovered automatically.

The Authentication failed: request failed (HTTP response status = 401 Unauthorized) suggests that the required OpenID secret/password is not configured properly. The OpenID provider secret is configured using the very first command mentioned in this section of the docs: https://kiali.io/docs/configuration/authentication/openid/#set-up-with-no-rbac-support.

Please, tell how you are installing Kiali: using the operator? or kiali-server helm charts?

[claudiuavat1]

Thank you, Jay and Edgar!

Based on my troubleshooting, Azure AD is performing step 3 - "Returns an authorization code" correctly through a redirect. As described here: Protocol details.

Based on the log entry, it appears that this function that verifies parameters is the one failing the flow:

kiali/business/authentication/openid_auth_controller.go

Line 316 in 4b41574

checkOpenIdAuthorizationCodeFlowParams().

The function that picks up the parameters does try to pick up id_token, which does not exist yet. Could that be the problem?

kiali/business/authentication/openid_auth_controller.go

Line 532 in 4b41574

func (p *openidFlowHelper) extractOpenIdCallbackParams(r *http.Request) *openidFlowHelper {

It's not failing on nonce and state, which makes me believe the request is handled properly. But there isn't anything special with state from what I can tell, which is also present.

[claudiuavat1]

@claudiuavat1 There is a short dedicated section for Azure in the docs, which I recommend you to read: https://kiali.io/docs/configuration/authentication/openid/#using-with-azure-aks-and-aad.

You have set the password and token_endpoint configs, which does not exist in Kiali. So, I recommend you to remove these configs. I also suggest you to remove the authorization_endpoint config as it should be discovered automatically.

The Authentication failed: request failed (HTTP response status = 401 Unauthorized) suggests that the required OpenID secret/password is not configured properly. The OpenID provider secret is configured using the very first command mentioned in this section of the docs: https://kiali.io/docs/configuration/authentication/openid/#set-up-with-no-rbac-support.

Please, tell how you are installing Kiali: using the operator? or kiali-server helm charts?

Hi Edgar,

Thank you for your quick response! I will perform the cleanup and review the secret setup in the next few minutes.

[claudiuavat1]

That worked, I am so thrilled, thank you!!

I am using kiali server helm charts (gitops and ArgoCD + pipeline orchestration for controlled rollout into multiple clusters).

In retrospective, the documentation is very clear. My mind just played tricks on me as I scanned several conversations and documents.
Btw, the azure aks and aad document didn't apply to my setup (EKS in AWS with self-management of eco-system components).

The setup that is live and working:
strategy: "openid"
openid:
api_token: "access_token"
client_id: ""
disable_rbac: true
http_proxy: "<corporate_proxy>"
https_proxy: "<corporate_proxy>"
insecure_skip_verify_tls: true
authentication_timeout: 300
issuer_uri: "https://login.microsoftonline.com//v2.0"
scopes:

openid
profile
email
username_claim: "preffered_username"

• making sure the secret has the correct name (kiali).