-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure AD doesnt use the Admin fields to authenticate with #11614
Comments
@vincent99 I think this is a backend issue? |
I believe the admin credentials are not used, so they are not needed. @aemneina can clarify on this case. |
@aemneina Can I remove admin credentials from UI side? |
I'm willing to believe that the creds are not tested during enabling auth, but don't think it's correct that they are not ever used at all (e.g. for determining the groups a user is a member of when using an account API key). |
@vincent99 @loganhz we can remove the Admin credentials field from UI. Azure provider uses an Azure assigned accessToken and refreshToken pair to grab the user's groups - we store these tokens in the account table when the user logs in using his password. Anytime later we need to access the user's groups/details these tokens suffice. If the accessToken has expired, refreshToken helps get a new pair of these tokens that is then stored with the account. Thus even while using API keys, the tokens stored with the account are used and admin creds are not needed. |
I will test out the API keys usecase and confirm my understanding noted above. |
Yes tested with api keys against 1.6 and pulled my user identities correctly, confirmed that AzureAD provider does not need admin creds for any backend functionality |
Rancher versions:
rancher/server: v1.6.14
Steps to Reproduce:
Results:
The text was updated successfully, but these errors were encountered: