Azure Active Directory - External users #314
Comments
|
thanks @ReneHezser. Sorry for the delay in responding to your issue. @simongottschlag @artagel do either of you have an opinion on this? @ReneHezser just to be clear, you're suggesting plucking the |
|
@ReneHezser @bnfinet if we change anything, it should be based on Azure AD v2 access token and not v1 - to future proof the solution. I think we get a claim called preferred_username in the v2 token which should be correct for both internal users and guests. (Important to remember that the value is mutable) @ReneHezser can you change the AAD app to issue v2 tokens and verify that it looks correct with the guest? |
|
Hi @simongottschlag. To be honest I need to check again, as I am not 100% certain it was not a configuration issue. But you should be able to quickly reproduce this by adding a live/hotmail/whatever account as external account to your AAD and use that user to login. |
|
The app registration should be set to V2 (from the manifest Here is my config.yaml: oauth:
provider: azure
client_id: ...
client_secret: ...
auth_url: https://login.microsoftonline.com/.../oauth2/v2.0/authorize
token_url: https://login.microsoftonline.com/.../oauth2/v2.0/token
callback_url: https://login.........org/auth
user_info_url: https://graph.microsoft.com/v1.0/me
scopes:
- openid
- email
- profileWith the user info url I am not sure what to put in. I also tried Hmm. I don't get it. Where does the UPN come from? I don't see it being set? Not in the above and not in structs.go |
|
Hi @bnfinet @ReneHezser, I've created a PR to see if this helps you: #320 If you add oauth.azure_token = id_token and see if it works. I'm really bad at Golang and programming overall, please excuse any rookie mistakes. :) Any changes to the PR are appreciated. |
|
The PR is working. 🥳 And when I add rene.hezser_....com#EXT#@....onmicrosoft.com to the whitelist, I can access the protected website. |
|
Simon you're a champ! Thanks so much for the contribution and for
continuing to support the MS/AD/AAD side of VP.
And thanks for testing the PR Rene.
I'll take a look in the next few days.
Cheers
…On Tue, Oct 6, 2020, 12:45 AM René Hézser ***@***.***> wrote:
The PR is working. 🥳
{"level":"debug","ts":1601969781.0134058,"msg":"azure GetUserInfo: getting user info from token: ***@***.***\",\"idp\":\"https://sts.windows.net/.../\",\"name\":\"René Hézser ***@***.******@***.***\",\"uti\":\"...\",\"ver\":\"2.0\"}"}
{"level":"info","ts":1601969781.0136652,"msg":"azure GetUserInfo: User: ***@***.*** Name:René Hézser (MS) ***@***.*** CreatedOn:0 LastUpdate:0 ID:0 TeamMemberships:[]}"}
{"level":"debug","ts":1601969781.0136998,"msg":"/auth Claims from userinfo: ***@***.***}"}
{"level":"error","ts":1601969781.0137134,"msg":"/auth User is not authorized: verifyUser: user.Username not found in WhiteList: ***@***.*** . Please try again or seek support from your administrator"}
And when I add ***@***.*** to the
whitelist, I can access the protected website.
I also tested a normal AAD user, and it still works.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#314 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJUV246CV4YPSWFJMBIJOTSJLDIXANCNFSM4RHXDXLQ>
.
|
|
any luck this can be merged to master? |
|
@xtra-be I'm looking at this now and would like to merge to master in the coming days. Would you be in a position to help test? |
|
yes happy to test we have a use case with external guests where this is a blocker |
|
has this allready been commit to the main branch? |
|
@xtra-be no I was waiting for you to test the PR with the additional code. My apologies if that was not clear. If you could supply a log that shows it working to a gist that works be very helpful. |
|
can you provide me with a build to test? |
|
Look at do.sh, it includes a build command
…On Wed, Dec 16, 2020, 9:47 PM xtra-be ***@***.***> wrote:
can you provide me with a build to test?
i'm not that good in compiling go code :-(
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#314 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJUV22ZBFJT4CAUK556V6DSVGLPHANCNFSM4RHXDXLQ>
.
|
|
as i say not realy good at go when i try to build i get following error: ./do.sh build go.uber.org/multierr../go.uber.org/multierr/error.go:197:6: undefined: errors.As |
|
Hi, I just performed a new build and tried the patch in our testing environment. Unfortunately, it seems to be completely broken: |
|
@jdavid5815 thank you for testing the PR With that log I can't rule out that this error (panic) is configuration related. Could you please upload config and logs (full round trip) to a gist in the manner described in the README. Thanks again. |
|
@xtra-be the README includes instructions on how to build VP. If those instructions do not work for you, could you please work to improve them |
|
hello @bnfinet |
|
@xtra-be If you could please supply a log that shows it working to a gist that would be very helpful. |
|
@ReneHezser @simongottschlag @jdavid5815 Would any of you be in a position to test this PR, and if there is an error could you please upload your config and log as per the README. I would like to merge this work but given the inconsistent results I'm not comfortable doing so quite yet. Thanks to @simongottschlag for the code and all for the help and support of VP. |
|
Hello. Complete newbie here but I have a similar use case: AzureAD with both native and guest users. Not sure if any of this will be helpful, but here is some info about what guests vs. normal users look like in my AzureAD tenant. For guest users, they don't have a UPN in Here's what my two users look like (I didn't know what sensitive stuff to remove, so I removed everything that looked like a hash, encoding, or GUID value): AzureAD user - shown as "arion@AZUREAD" for email address: AzureAD guest - shown as "arion@GUEST" for email address: According to Microsoft's docs,
|
|
Hello, I just encountered the issue too, and it's high priority for me because all users in my AD are guest users. I just built the above PR (simongottschlag@6d8b79a) and deployed it to our service kubernetes cluster, in conjunction with nginx-ingress it is working like a charm :-) See config and log files here: https://gist.github.com/acm-073/c7d91bca67c882c1e22e2aa8b4499bc4 I hope this helps in getting this PR ready to merge... the feature is very much wanted on our side. Thanks & best regards |
AAD external users cannot be authenticated
An AAD user can authenticate, an external user within the same AAD is not able to autenticate.
I've identified the behavior being an empty username/UserPrincipalName of external users in AAD.
This is the log from vouch:
Using the Graph Explorer I can see that the userPrincipalName is null for an external user.
If I look at the code, would it make sense to check for an empty Username again after this line and set it from the email property?
Below is the result from Graph Explorer for 1) an AAD user and 2) an external account.
Some more information from
azure GetUserInfo: getting user info from accessToken:The text was updated successfully, but these errors were encountered: