-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with Microsoft Entra ID (former Azure AD) authentication #379
Comments
thanks for bringing this up. I think i need some time to investigate here. If you found a solution meanwhile i am eager to here about it :) |
Unfortunately, I'm not so familiar with quarkus and Java, but I understand that for Entra ID (AAD) tokens a customized token verification process needs to be used. The PR I mentioned before contains code that allows for such customization. |
All good, it's cool that you brought that up.I am still a bit short in time currently, but i will try to investigate as soon as i find time :) |
@GrzegorzHejman after researching a bit, i have a follow-up question. Did you set AUTH_PROVIDER to |
@PacoVK I was unable to make it work with AUTH_PROVIDER, but I used the environmental variable QUARKUS_OIDC_TOKEN_CUSTOMIZER_NAME='azure-access-token-customizer', which seems to have resolved the issue. |
Awesome, that you were able to fix this. I'll make sure to make it a bit more convinient for future use. |
@PacoVK can I find any information on how to set this up using Entra ID auth? I tried the following parameters but doesn't seem to work: I want to change the redirect URI of Quarkus in Tapir. |
Hey @cedricbraekevelt i think you need to follow #379 (comment) and set |
Hi @PacoVK , Thanks for the answer, however the issue i'm experiencing is I can't seem to figure out how to set the callback URL in Tapir for the App Registration. The callback URL in my App registration is: https://tapir.{DOMAIN}.com/.auth/login/aad/callback. However when I go to the application, it tries to redirect me to http://tapir.{DOMAIN}.com/. HTTP is not allowed on App registrations (except for localhost but since this is is running in Azure Container Apps I'm guessing this is not a solution? PS: tried setting both AUTH_TOKEN_PATH and AUTH_PATH but didn't seem to make a difference in the callback URL. |
@cedricbraekevelt, to configure redirection you can try: QUARKUS_OIDC_AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME='true' Please also try to remove AUTH_PROVIDER and use: With those two changes I was able to get the token. The problem I faced then was that the token was issued from the STS endpoint, not the expected one. I didn't have time to test it more, but it's related to the app registration and token configuration on Entra ID side. Generally, it needs to be configured to issue v2 tokens , but I haven't figured out that part yet. |
@GrzegorzHejman @PacoVK Thanks, I've come further however the next error I'm receiving:
Sorry for being so helpless but this is unknown terrain for me :) However I'd really like a Terraform registry |
@cedricbraekevelt, I'm not sure if this helps, but please try to add "/" to the end of the AUTH_ENDPOINT: |
@GrzegorzHejman I already changed the AUTH_ENDPOINT to https://sts.windows.net/{TENANT}/ because I got another error related to the issuer not matching. However the extra "/" doesn't seem to matter for the introspection error |
@PacoVK would it be possible to provide a reference config of the auth parameters / specific App Registration settings to get this to work? :-) |
Hi @PacoVK , @GrzegorzHejman I made it work by using these settings: However the thing that I can't get to work is how to become "admin". |
Just to add my voice to @cedricbraekevelt . I'm also trying to get SSO working on Azure. I'm using the same settings a the previous reply and I've also tried the same On my end users correctly authenticate but are landing with no admin role. |
Hi @TomBeckett , @PacoVK, I've found the following guide which according to your code does what should be required: |
Thanks @cedricbraekevelt for your time on investigation. I need a bit time but I will take a look at this soon. Could you please do me a favor and let me know how an example token issued by Azure looks like? I already have a guess what the solution could be. Please ensure to not paste a valid token 😊 |
Hi @PacoVK , @TomBeckett, Today I've been able to find out some more: QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH = roles because by default Quarkus looks for groups in keycloak However this last entry changes break tapir and I'm unable to login anymore. This results in the following JWT token:
The reason according to logs in azure container apps that the page fails to load with this token is the following:
without the QUARKUS_OIDC_AUTHENTICATION_SCOPES setting I get the following JWT token:
Things that I find interesting:
Hope this helps you further :-) PS: still using 7.0.0 because docker hub latest refers to 7.0.0 i think :p |
We've managed to get Tapir working using the following settings: env {
name = "QUARKUS_OIDC_PROVIDER"
value = "microsoft"
}
env {
name = "QUARKUS_OIDC_TOKEN_CUSTOMIZER_NAME"
value = "azure-access-token-customizer"
}
env {
name = "QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH"
value = "roles"
}
env {
name = "QUARKUS_OIDC_ROLES_SOURCE"
value = "idtoken"
}
env {
name = "QUARKUS_OIDC_AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME"
value = true
}
env {
name = "QUARKUS_HTTP_CORS_ORIGINS"
value = "*" // INJECT NAME
}
env {
name = "AUTH_ENDPOINT"
value = var.auth_endpoint
}
env {
name = "AUTH_CLIENT_ID"
value = var.auth_client_id
}
env {
name = "AUTH_CLIENT_SECRET"
secret_name = var.auth_client_secret_vault_name
} I should also mention we've had to roll back to EDIT: I raised a separate issue and PR for the 404 mentioned above. |
I can confirm the above settings work, I also have the same issue with 0.7.1 and am using 0.7.0 now. Thanks for the solution @TomBeckett. Looking forward to an update to fix 0.7.1 :) PS: I'm having an issue when creating any type of deploy key |
I tried all the above suggestions/fixes but still getting errors. Any suggestion? |
@all-contributors please add @GrzegorzHejman for bug |
I've put up a pull request to add @GrzegorzHejman! 🎉 |
@all-contributors please add @cedricbraekevelt for bug |
I've put up a pull request to add @cedricbraekevelt! 🎉 |
Has anyone tried to use Microsoft Entra ID (former Azure AD) as an OIDC IDP? When I try to configure it, it seems to work ok (Tapir gets the correct token), except I get the token verification error:
ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) ID token verification has failed: JWT rejected due to invalid signature.
I've found this information related to the same or very similar issue:
quarkusio/quarkus#32701
And it seems that this PR enables verification customization to work with Azure AD tokens:
quarkusio/quarkus#33319
The text was updated successfully, but these errors were encountered: