Skip to content

Entra ID: Workload Identity support #2902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tuunit merged 1 commit into from
Jan 11, 2025
Merged

Entra ID: Workload Identity support #2902

tuunit merged 1 commit into from
Jan 11, 2025
+169 −13

Conversation

@jjlakis
Copy link
Contributor

@jjlakis jjlakis commented Jan 5, 2025
edited by tuunit
Loading

Description

This PR adds additional flag to Entra ID provider - entra_id_federated_token_auth_enabled. When enabled, oAuth2 proxy exchanges code for tokens by using federated token projected in the well known place by Entra Workload Identity plugin.

This change introduces a custom implementation of Redeem(). When federated auth is enabled, tokens are retrieved by custom query (with different parameters), and passed to generic p.OIDCProvider.createSession().

Motivation and Context

Workload Identity in Entra allows to stop using hardcoded client secret which is a huge benefit for IaaC, reference architectures and secret management.

How Has This Been Tested?

E2E testing for Entra provider has been extended to perform same 15 cases that are performed with client-secret configuration. Test are passing properly.

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@jjlakis jjlakis requested a review from a team as a code owner January 5, 2025 14:17
tuunit
tuunit requested changes Jan 8, 2025
View reviewed changes
@jjlakis jjlakis force-pushed the wi branch 2 times, most recently from c57fe70 to 5c036ee Compare January 9, 2025 06:48
tuunit
tuunit approved these changes Jan 11, 2025
View reviewed changes
Copy link
Member

@tuunit tuunit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tuunit tuunit added this to the next milestone Jan 11, 2025
@tuunit tuunit merged commit ae8fb08 into oauth2-proxy:master Jan 11, 2025
9 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 14, 2025
Merged
g-linville pushed a commit to obot-platform/oauth2-proxy that referenced this pull request Jan 31, 2025
@jjlakis @g-linville
feat(entra): add Workload Identity support for Entra ID (oauth2-proxy…
d50a949 
…#2902)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuunit tuunit tuunit approved these changes

Assignees

No one assigned

Labels

docs go provider

Projects

OAuth2-Proxy Release Planning & Roadmap
Status: Released

Milestone

v7.8.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jjlakis @tuunit