Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft Entra ID provider #2390

Merged
merged 20 commits into from
Dec 31, 2024
Merged

Conversation

jjlakis
Copy link
Contributor

@jjlakis jjlakis commented Jan 14, 2024

Microsoft Entra ID Provider

This PR contains a proposal for a new implementation of Azure provider, that:

  • Is a child type of OIDCPRovider
  • Supports group overage, multi-tenancy and V2 endpoint only - see Make AzureProvider a child type of OIDCProvider #2384
  • Prepares Azure provider to consume client assertion token exchange OIDC feature and thus support Azure Workload Identity.
  • Has all Azure permissions and multi-tenancy considerations recognized and covered in docs.
  • Replaces existing azure provider that is often misbehaving when it comes to permissions, groups and multi-tenancy.

Changes

New OIDC-compliant provider is added - ms-entra-id. Provider-specific configuration flags are:

  • --ms-entra-id-allowed-tenant=<tenant-id> - When specified, multi-tenant app authentication only allows tokens incomming from specific tenants.

Remarks:

  • There's no flag for Tenant ID - only OIDC issuer URL is needed
  • There's no groupGraphField support - RFC whether this is a valuable feature now or can be added separately.

Usage

Detailed usage instructions with different scenarios, permissions, multi-tenancy considerations and examples with Azure Portal and Terraform are added to provider documentation.

Features

Outside of the generic OIDC behavior, provider implements the following:

  • Group overage - custom implementation of EnrichSession() checks for group overage (If not disabled by --ms-entra-id-skip-graph-groups).
  • Allowed tenants for multi tenant apps - Multi-tenant apps require --insecure-oidc-skip-issuer-verification flag to be set. Custom implementaion of ValidateSession() fills the security gap by comparing Tenant ID from incomming token with list specified in --ms-entra-id-multi-tenant-allowed-tenant.

Other considerations

Scope

This provider requires scope to be set explicitly (openid for azure only, and openid profile email for MS personal accounts). Default behavior adds groups scope when --allowed-group is set. This claim isn't supported by Azure (it's also incompliant with OIDC). Fix proposed separately: #2392

Missing e-mail in claim

When Azure user has no e-mail set (for example: it's created quickly for testing), oauth2-proxy fails with 500 with following:

[2024/01/14 20:32:23] [oauthproxy.go:853] Error creating session during OAuth2 callback: neither the id_token nor the profileURL set an email

When e-mail is added, everything works as expected.

How this was tested

This was carefully manually tested on Kubernetes with Traefik forward auth middleware. Following scenarios were covered:

  • Single-tenant:
    • ✔ Minimal-permission app registration without groups claim enabled.
    • ✔ Minimal-permission app registration with groups claim enabled and with --allowed-group.
    • ✔ Group overage with --allowed-group + behavior for missing permissions.
  • Multi-tenant:
    • ✔ Minimal-permission app registration without groups claim enabled, tested from 2 tenants & personal MS accounts
    • ✔ Minimal-permission app registration with groups claim enabled and with --allowed-group, tested from 2 tenants & personal MS account
    • ✔ Group overage with --allowed-group, tested from 2 tenants & personal MS account, check behavior for missing permissions.
    • ✔ ms-entra-id-multi-tenant-allowed-tenants - tested various combinations with 2 tenants & personal MS account
  • Other tests
    • ✔ Docusaurus build

Implemented unit tests cover the corner cases - group overage & multi tenancy.

Related PRs and issues

Copy link
Member

@tuunit tuunit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some remarks I already have before doing a indepth review.

docs/docs/configuration/providers/azure_entra_oidc.md Outdated Show resolved Hide resolved
docs/static/img/azure-create-app-reg.gif Outdated Show resolved Hide resolved
providers/azure_entra_oidc.go Outdated Show resolved Hide resolved
pkg/apis/options/legacy_options.go Outdated Show resolved Hide resolved
@jjlakis jjlakis changed the title Azure OIDC proposal Add Microsoft Entra ID provider Jan 16, 2024
@jjlakis
Copy link
Contributor Author

jjlakis commented Jan 16, 2024

@tuunit I have renamed methods and settings to reflect Microsoft Entra ID name.

Copy link
Member

@kvanzuijlen kvanzuijlen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a quick read-through of the documentation. @tuunit can you take a look at the Golang code?

Also, are we 100% sure the Azure AD code can be deleted immediately? As this would be a breaking change I think I'd slightly prefer the removal in a separate PR.

docs/docs/configuration/providers/index.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
docs/docs/configuration/providers/ms_entra_id.md Outdated Show resolved Hide resolved
Copy link
Contributor

github-actions bot commented Apr 1, 2024

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

@github-actions github-actions bot added the Stale label Apr 1, 2024
@github-actions github-actions bot closed this Apr 9, 2024
@tuunit tuunit reopened this Apr 9, 2024
@tuunit tuunit removed the Stale label Apr 9, 2024
@jjlakis jjlakis force-pushed the azure-oidc-proposal branch from 98e291f to 58a7f7c Compare April 25, 2024 19:45
@jjlakis
Copy link
Contributor Author

jjlakis commented Apr 25, 2024

I have revisited & rebased. I've addressed documentation comments and tested with docusaurus. Documentation looks good:

image

I have also run so simple testes to ensure everything still works 👌

@jjlakis jjlakis force-pushed the azure-oidc-proposal branch from 549e96c to e273e8a Compare April 25, 2024 19:58
@JoelSpeed
Copy link
Member

In general, +1 to the direction this is going, will try to find time for a thorough review. Thank you for the in-depth analysis you've done there.

docs/docs/configuration/providers/index.md Outdated Show resolved Hide resolved
docs/static/azure-videos/create-app-reg.mkv Outdated Show resolved Hide resolved
docs/static/azure-videos/create-groups-claim.mkv Outdated Show resolved Hide resolved
docs/static/azure-videos/group-overage.mkv Outdated Show resolved Hide resolved
pkg/apis/options/legacy_options.go Outdated Show resolved Hide resolved
providers/ms_entra_id.go Outdated Show resolved Hide resolved
providers/ms_entra_id.go Show resolved Hide resolved
providers/ms_entra_id.go Outdated Show resolved Hide resolved
providers/ms_entra_id.go Outdated Show resolved Hide resolved
providers/ms_entra_id.go Outdated Show resolved Hide resolved
@jjlakis jjlakis changed the title Add Microsoft Entra ID provider Microsoft Entra ID provider May 20, 2024
@jjlakis jjlakis force-pushed the azure-oidc-proposal branch 2 times, most recently from 67dab69 to 21e69b5 Compare June 11, 2024 19:11
@jjlakis
Copy link
Contributor Author

jjlakis commented Jun 11, 2024

@tuunit I have rebased and addressed most of your comments 👌

@tuunit
Copy link
Member

tuunit commented Jun 24, 2024

@tuunit I have rebased and addressed most of your comments 👌

Amazing I'll try to do a review this week!

@tuunit
Copy link
Member

tuunit commented Jul 14, 2024

@jjlakis I've created an Azure test account and I'll do some testing tomorrow and on Tuesday. I hope that we can get this merged soon :)

Copy link
Contributor

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

@htpawel
Copy link

htpawel commented Dec 18, 2024

Hi! Any update on this? Do we have any ETA?

@jjlakis jjlakis force-pushed the azure-oidc-proposal branch from dfe9d6d to 6b0a955 Compare December 23, 2024 21:24
@jjlakis jjlakis force-pushed the azure-oidc-proposal branch from a089d48 to be79e5d Compare December 24, 2024 00:26
@github-actions github-actions bot removed the dependencies Pull requests that update a dependency file label Dec 24, 2024
### Example configurations
Single-tenant app without groups (*groups claim* not enabled). Consider using generic OIDC provider:
```shell
provider="entra-id"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps at some point we should standardise these, so they are all, for example, PascalCase or something?

client_id="<client-id>"
client_secret="<client-secret>"
scope="openid"
allowed_groups=["ac51800c-2679-4ecb-8130-636380a3b491"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future, maybe it would be possible/better to have the group names/email addresses? But I guess that doesn't make things unique at the provider side 🤔

pkg/apis/options/providers.go Outdated Show resolved Hide resolved
providers/ms_entra_id.go Outdated Show resolved Hide resolved
}

if hasGroupOverage {
logger.Printf("entra overage found, reading groups from Graph API")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really want to log this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is an exceptional case, I vote for keeping it.

@JoelSpeed JoelSpeed merged commit 5f188e5 into oauth2-proxy:master Dec 31, 2024
8 of 9 checks passed
@tuunit tuunit added this to the next milestone Jan 4, 2025
@d-led
Copy link

d-led commented Jan 17, 2025

tried it out. Works as desired. Nice work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

10 participants