Azure provider with v7.2.1 and ADAL stop working - Access token validation failure. Invalid audience #1505
Description
After the update from v7.2.0 to v7.2.1 the integration with the AAD stops working.
We analyzed the difference between the two versions and we understood our issue is this PR: #1433
The pod produces these loglines:
[2022/01/06 13:32:29] [internal_util.go:74] token validation request failed: status 401 - {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-01-06T13:32:29","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}
[2022/01/06 13:32:29] [internal_util.go:69] 401 GET https://graph.microsoft.com/v1.0/me {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-01-06T13:32:29","request-id":"[REDACTED]","client-request-id":"[REDACTED]"}}}
10.5.1.44:59808 - [REDACTED] - [REDACTED] [2022/01/06 13:32:29] [AuthFailure] Session validation failed: Session{email:[REDACTED] user: PreferredUsername: token:true id_token:true created:2022-01-06 13:32:29.287771102 +0000 UTC m=+2927.613337671 expires:2022-01-06 14:44:17 +0000 UTC refresh_token:true}We analyzed the code. Here is the code involved:
- https://github.com/oauth2-proxy/oauth2-proxy/blob/master/oauthproxy.go#L757-L762
- https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/azure.go#L361-L363
- https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/internal_util.go#L69
- https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/internal_util.go#L74
Our pod is running in this way:
--http-address=0.0.0.0:4180
--metrics-address=0.0.0.0:44180
--azure-tenant=[REDACTED]
--cookie-domain=[REDACTED]
--cookie-expire=1h
--cookie-refresh=59m
--oidc-email-claim=sub
--oidc-issuer-url=https://sts.windows.net/[REDACTED]/
--pass-access-token=true
--pass-user-headers=true
--provider=azure
--resource=6dae42f8-4368-4678-94ff-3960e28e3630
--set-xauthrequest=true
--whitelist-domain=.[REDACTED]
--config=/etc/oauth2_proxy/oauth2_proxy.cfg
We use Managed AAD with our AKS clusters.
We configure OAuth2 Proxy to work with ADAL but the request for the validation is made to MSAL.
We presume this problem is strictly connected to #1144 and #1231
Expected Behavior
We expect that the Azure provider is able to validate the token using the same Graph endpoint version or at least it must be able to work.
Your Environment
- Version used: AKS 1.21.2