-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure provider does not work when "resource" is used - fails to retrieve email #1144
Comments
Not sure if it helps for your use case, but in mine, with the app registration I was using for testing at least, I was able to use Azure AAD OAuth with both v1 and v2 tokens using absolutely no special logic whatsoever from the azure provider - instead I used the generic OIDC provider. Note that my tokens had a lot of default scopes enabled (all of them, for testing purposes). I haven't yet tried using generic Azure app registration tokens with limited scopes. Also note that in the azure app registration Manifest I set the accessTokenAcceptedVersion to "2" for it to actually issue v2 tokens from the v2 endpoint, otherwise it only issues v1 tokens even from the v2 endpoint. For v1 tokens I used the following (in addition to cookie secrets and other config):
For v2 tokens I used the following (in addition to cookie secrets and other config):
It's not yet clear to me what advantages, if any, there are in using the azure provider directly, especially since it apparently does not validate issuer. #1135 This is fine but not great, as if you're running a multi-tenant install, a better check would be to validate the issuer format matches what is expected, or maybe there's a generic issuer (perhaps v2?) that works in all cases. I don't have a multi-tenant use case currently, and I also don't know if I've set up my token with special scopes or not, though I did basically request all scopes in my token to test out how much data it can return for development purposes. The advantage of using v1 tokens is that if you use |
Hello, @ludydoo, I'm currently running into similar issues as I'm trying to set up oauth2-proxy to grab an access token to use with the Kubernetes dashboard. @weinong wrote a guide related to this, and implemented the PR (thanks to him, by the way). However, I can't get it to work either. I'm not familiar with go but by inspecting the code, recompiling and deploying locally, I actually discovered that your current issue is not that the returned id_token does not have an e-mail claim (you can actually configure that in the AAD App registration, in the "Token configuration" section). Based on your logs, you face the same issue I initially had, which is that, in order to extract this claim, the tokens need to be verified, which isn't done unless you configure the issuer with Once you do that, the tokens will be verified against the AAD OIDC endpoints, and the claims extracted, but now I'm facing the following:
So, despite this interesting fallback mechanism, all 3 methods fail - in my case, at least. Would anyone have some advice in order to get this to work ? My args:
|
@ludydoo check out my instruction at https://github.com/weinong/k8s-dashboard-with-aks-aad, I verified that it works with my AKS AAD cluster |
@weinong , from which token are you able to extract the email claim with your setup ? |
@nodranael id_token, I understand your scenario, that basically renders the fallback to access token useless in AKS AAD scenario. I'm still trying to think how it can be worked around |
well, after removing some token customizations I had made while trying to make this work, I changed |
I had the same issue and I solved it using However, it fails to refresh the cookie with the following error:
|
I started re-exploring the current Azure AD support through the generic oidc provider yesterday and I can confirm what @LouisStAmour said, as it seems to offer everything that is needed (and more, e.g. groups verification). I only managed to make it work with v2 tokens however. I gave up on v1 pretty early, so can't say much about chance of success, the only thing I know for sure is that v1 would need the If you miss this part (scope in v2 and resource in v1), access tokens are not validating anymore (as they are only meant for Azure Graph API). If you pass it properly, the access token is not usable anymore to get the profile info (which you have to pass the url first, via There are currently 2 options to this:
General question to @weinong @JoelSpeed does it actually make sense to continue supporting the Azure provider? Or does it maybe make sense to drop it and then document how to use the oidc provider for Azure? |
In general, where a provider is OIDC compatible, we are looking to deprecate the existing providers and either encourage people to use the OIDC provider directly or convert the existing providers to be extensions of the existing OIDC providers. So I think documenting using Azure on the OIDC provider would be great |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
@JoelSpeed I agree with you but to date, Azure is not providing an OIDC compliant provider. Please take a look here especially to my comment here |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
This is still an issue |
@pierluigilenoci What would your proposed route forward be here? We are in the process of refactoring a bunch of providers to rely more heavily on the OIDC provider, reducing our maintenance burden in the long term. We also just added a new keycloakOIDC provider and deprecated the old keycloak provider. Do you think it's worth looking into building a new OIDC based Azure provider that works with the V2 APIs but can also talk to the graph API to grab the groups? |
@JoelSpeed It is absolutely worth a try. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
This is still an issue |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
still an issue |
Do we have any progess on this one? |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
still an issue |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
still an issue |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
still an issue |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
still an issue |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
@ludydoo, is this still an issue? |
@pierluigilenoci It is still an issue, or at least was about a month ago which is when I tested |
I spent too much time trying to resolve this issue, so I hope this summary helps someone. This is what is working for me now. oauth2-proxy configuration:
To make sure that you are getting the right token, go to your instance on in my case, I was also having issues with my ingress nginx, as I upgraded the helm version and didn't notice that they changed the default for This is my ingress annotations:
This is what versions I'm using:
|
@ludydoo, could you please prepone [BUG] for the issue title? |
@NatiSayada Wow, thanks! It works for me now too. It seems I was missing |
on AKS 1.20.2, I'm using oauth2-proxy as a
ext-authz
extension for istio. I want to protectKiali
. Kiali has multiple authorization strategies, one of them being theheader
strategy, which would work perfectly withoauth2-proxy
. My goal is to forward the kubernetes user token, retrieved using oauth2-proxy from Azure Kubernetes AAD, to kiali, which would then use it to query the kubernetes resources.I basically want to get an access token to kubernetes through oauth2-proxy, through Azure Kubernetes AD, forward it to Kiali, then kiali would use that to query the Kubernetes API on behalf of the user.
On AKS, there's an integration with Active Directory for RBAC permissions, which is enabled in our clusters. The Kubernetes API is configured with an OpenID provider, being the public Azure Kubernetes AD. So users have to do
az aks get-credentials
, which guides them through an oidc flow, then configures theirkube.config
.I registered an Azure App, which has the Azure Graph
user.read
permission, as well as theuser.read
permission on theAzure Kubernetes AD
service. Theid
of this public service is6dae42f8-4368-4678-94ff-3960e28e3630
I can successfully login trough the istio
ext-authz
set up on our ingress gateway, then I'm redirected to kiali. But this does not forward the actual kubernetes token to kiali yet.If I set the
oauth2-proxy
resource
parameter to6dae42f8-4368-4678-94ff-3960e28e3630
(theAzure Kubernetes AD
), then there's an error. The error is that oauth2-proxy cannot retrieve the useremail
from the graph api (InvalidAudience)Since the
id_token
andaccess_token
returned by azure do not include the email,oauth2-proxy
tries to retrieve the email from thegraph
api. This works when theresource
parameter is not set, but if fails with anInvalidAudience
error if theresource
parameter is set.I tried setting the
oauth2-proxy
scope
arguments toopenid email profile
oropenid,email,profile
, but it seems that it does not include the email in the response.Back to the root of the error, I guess that the reason behind this is that the access token used to query the
graph
api is the token for the "protected resource" (in this case Azure Kubernetes AD) which does not have permission to query the Graph API.Expected Behavior
Current Behavior
Possible Solution
Your Environment
AKS 1.20.2
token received with the "resource" param:
The text was updated successfully, but these errors were encountered: