Comments (11)
betabandido
commented on July 19, 2024
5
@AMoghrabi No, I didn't. A little after reporting this I stopped using Azure to authenticate, so I didn't continue looking for a solution.
from oauth2-proxy.
JoelSpeed
commented on July 19, 2024
I'm wondering if you could attempt to set up the OIDC provider to point to azure? You could try the OIDC issuer as https://login.microsoftonline.com/<tennant> and see what happens?
from oauth2-proxy.
maxh8086
commented on July 19, 2024
Pointing to Similar resolution of ADFS :
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
from oauth2-proxy.
betabandido
commented on July 19, 2024
@JoelSpeed I have tried using the OIDC provider, but I have run into a few issues.
First, the issuer returned by Azure is not the same as the one sent. So, I get the following error from https://github.com/coreos/go-oidc/blob/v2/oidc.go#L123
oidc: issuer did not match the issuer returned by provider,
expected "https://login.microsoftonline.com/<tennant-id>
got "https://sts.windows.net/<tennant-id>/"
I manually disabled the check in the go-oidc library and the different provider parameters (authURL, tokenURL, etc.) seem to be actually obtained successfully.
The second problem occurs at https://github.com/pusher/oauth2_proxy/blob/master/providers/oidc.go#L119
The token returned by Azure does not contain the email in the sub field (it is instead in the upn field). That means I cannot specify email addresses with -email-domain=<some domain>.
I hardcoded the email, compiled again and after running the proxy again, the authentication was completed successful.
Given that fixing one of the issues involves changing the go-oidc library, it is not clear to me whether there is an easy fix for this issue. What do you think?
from oauth2-proxy.
ploxiln
commented on July 19, 2024
It seems like OpenID-Connect is just as inconsistently implemented as Oauth2, and separate "provider" code tends to be needed for each ... it's just especially unfortunate that there seems to be 2 or 3 different Microsoft products with "Azure" in the name that all need different "provider" code to handle their quirks.
from oauth2-proxy.
maxh8086
commented on July 19, 2024
Microsoft expect resource (Actual consumer of Token ) to be included in every request sent by oauth2 proxy to respond right audience.. same happens in ADFS.. sample output has been shared for adfs request.
from oauth2-proxy.
betabandido
commented on July 19, 2024
@maxh8086 I suppose that is only the case for the oauth2 code grant, but not for the openid protocol (documentation does not list any resource field in the request for the latter). I believe there is no way to make this work using the openid protocol.
I can confirm that using the oauth2 code grant (where an extra request is needed to get the token) returns a token with the audience containing the spn: prefix. For this to work I believe it is needed to specify spn:your client id as the resource field in the first request, and then use api-version: 1.0 in the second request (to exchange the obtained code for the token).
from oauth2-proxy.
maxh8086
commented on July 19, 2024
For Microsoft resource is web api who is intent to consume the token. Yes you are true openid do not have it documented in a way that tells resource in grant type code / authorization code.. but this is how Microsoft has implemented its ADFS / Azure AD.. although i believe it clears the intention of token requesting application that code will be consumed by third party (kubernetes API) not by requestor (proxy). This has been tested with other app with to the help of application owner.. and able to get all custom grant using method stated by Microsoft article.
from oauth2-proxy.
github-actions
commented on July 19, 2024
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Fez29
commented on July 19, 2024
@JoelSpeed @ploxiln I suspect the issues I am having with Azure AD are related to the issues mentioned in this post. #502 I am seeing very similar behavior with issues with the issuer, audience etc.
from oauth2-proxy.
AMoghrabi
commented on July 19, 2024
Hi @betabandido. Did you end up solving this problem? I get the same error as you:
Unable to authenticate the request due to an error: [invalid bearer token, oidc: verify token: oidc: expected audience "spn:{client_id}" got ["{client_id}"]]
from oauth2-proxy.
Related Issues (20)
- [Feature]: Home Assistant provider HOT 3
- [Feature]: Warn on unused OAUTH2_PROXY environment variables HOT 1
- [Support]: Configuring OAuth2-Proxy for Authorization based on roles created in Keycloak HOT 2
- [Support]: Oauth2-proxy is quitting unexpectedly HOT 10
- [Support]: Issue in getting the authorization header in request/response HOT 16
- [Feature]: Disable header flattening HOT 1
- [Support]: Cannot get user information in upstream headers HOT 1
- [Bug]: Redirect deadlock on calling upstream path with query string HOT 2
- pass azure AD id_token to the frontend HOT 2
- [Bug]: websocket requestis is responsed with 301 if url contains double slash
- [Feature]: When combining /auth filter parameters make it possible to allow user if any of them matches HOT 2
- [Support]: Istio not receiving Auth headers from oauth2-proxy when running Alpha config HOT 3
- [Support]: CSRF Token Expiration Issue with Keycloak and OAuth2 Proxy HOT 6
- [Support]: Question: Is there a flexible way to configure AuthZ with OAuth2-Proxy in Kubernetes with annotations & Keycloack User Attributes? HOT 1
- cookied session Oauth-proxy not found
- [Bug]: Authorization: Bearer always set, even if --pass-authorization-header is false HOT 2
- [Support]: got 404 not found error when fetching keys oidc HOT 2
- [Bug]: ajax requests still sometimes get redirected HOT 2
- [Support]: Support for reloading server certificates? HOT 3
- [Support]: Unable to authorize applications with keycloak via oauth2 proxy using Bearer token HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.