-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sso-auth: Azure AD provider #118
base: main
Are you sure you want to change the base?
Conversation
52f78d9
to
7b9fb26
Compare
Hey Bob - Thanks for this sizable contribution! We really appreciate the work.
I've only taken a brief look so far, but if the OIDC support is orthogonal to using Azure AD as an identity provider, then we might think about splitting OIDC into a separate PR - This PR is already fairly large, and splitting off the OIDC work will make things easier to digest and review. Happy to discuss - Thoughts? |
It's not orthogonal. The Azure AD provider uses OIDC under the hood, but it additionally introduces groups support that's not part of OIDC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly stylistic and comment nitpicks - Looking good!
Just leaving a message of encouragement because I'm really looking forward this 👍 |
@sporkmonger If you move forward with @katzdm reviews I'll will be happy to test it in my organization. Cheers. |
Hey, sorry about delay on this. Was fully occupied w/ KubeCon stuff for a bit. I expect I should be able to tackle the review comments within the next week or so. |
No problem - Thanks for pushing forward with this; we're really excited to merge this in! 🎉I'll take another look at this in the next few days. |
Alrighty, good news, I finished up the stuff on my plate that was blocking me from getting back to this. Starting in on the requested changes now. Sorry it's been taking so long. |
I've addressed all the minor issues. There's a small number of outstanding issues remaining that I expect I should be able to address in the next few days. |
Wonderful! |
All changes have been made, this should be ready for re-review @katzdm. |
@sporkmonger although you implemented the OIDC provider, there's still no way to pass it as a valid provider right? When setting |
@eyalzek Yeah, that's true, it's currently closer to a functional stub than anything. Part of the problem is that Azure AD doesn't quite follow the OIDC spec to the letter and that's what I've got to test with. I was kinda hoping someone with a more compliant OIDC provider available to them might be able to take a look and get that part over the finish line, so that's why I didn't fully enable it. |
I could certainly turn it on if you'd be willing to test it and work with me on making sure it works in practice, not just in the test suite. |
My expectation would be that groups are unlikely to work for most OIDC providers that don't have provider-specific implementations though (like this Azure AD PR) since groups have to be passed through in the token and many providers do that in very implementation-specific ways (e.g. Azure AD only does it if certain flags and scopes are set and even then only returns group UUIDs, not group names). |
After all the changes, looks like it's running into cookie size issues again. |
I'm going to wait for #137 to land before attempting to resolve. |
I'll be glad to help with testing. We're currently using dex in front of gitlab as the OIDC provider, but after looking at |
I'm working right now on trying to close gaps between |
9c4f15e
to
76f6612
Compare
Just an FYI, to simplify testing you can look at the "production" branch in our fork: https://github.com/Remitly/sso/tree/production That contains a merged copy of all our outstanding PRs in one place. Since this PR doesn't really work terribly well without #150, it may be easier to test from the merged branch instead. |
A radiator is a PC connected to a Big flat screen which displays dashboards. |
Mind if I ask for a status update on this change? AFAICT, the main blocker for here is the Cookie Overflow fix - Is that an accurate reading? |
Yes, I think that's accurate. |
I tried testing this with gitlab as an
|
I have this mostly working but the final stage where
I am running the latest version of https://github.com/Remitly/sso/tree/production |
I have not been able to identify why, but, I rolled my own version which combined Posting here if anyone wants to compare. I have another issue which I'm not sure how to solve. It seems that the SSO reply includes my primary proxyAddress, while the graph call requires the |
@eyalzek Ah, sorry, |
@adamjacobmuller Could you post a redacted version of the API responses you're getting? |
{"error":"could not get groups: api error: {\r\n \"error\": {\r\n \"code\": \"Request_ResourceNotFound\",\r\n \"message\": \"Resource '[email protected]' does not exist or one of its queried reference-property objects are not present.\",\r\n \"innerError\": {\r\n \"request-id\": \"7ba87cce-741f-45f6-8a5b-7eb7ea56f342\",\r\n \"date\": \"2019-03-16T18:32:15\"\r\n }\r\n }\r\n}" |
using the Graph Explorer, querying with my userPrinicpalName works fine, querying with my primary email fails with the same error. |
the id token response contains patch is very trivial but I can make a PR if you like |
Where are we about this ? I've been using it for a while now, it would be nice to see it merged. |
Cookie overflow issue is what this is gated on. |
@sporkmonger Would it be possible to maybe split this PR? I believe only Azure has the cookie overflow issue (and not other OIDC providers). If we could separately get the general-OIDC provider in first that would likely help building out other providers. |
I'm in favor of that course of action, but don't currently have the time to dedicate to it splitting it out either. In practice I believe Azure AD would benefit primarily from just moving to a Redis cookie store rather than dealing with cookie splitting. Frankly I think that is probably a better solution in general because even for identity providers with sane token sizes, there's not necessarily much of a limit to how many groups you can belong to, other than convention. So all session state is technically unbounded in size, and Azure AD just hits the limits when others don't because MS loves their cruft. I can say that I've been doing cookie splitting in production for a couple months now and it has been nothing but headaches and I absolutely do not recommend it unless you have no choice. Unfortunately, I've got a giant pile of other things on my plate this quarter and landing these PRs is super time-consuming. |
I have an implementation of a Redis cookie store I've implemented in a fork of pusher/oauth2_proxy that can probably be cherry picked, I've been using it with pretty good success, but I haven't finished cleaning up my branch and writing some unit tests for it. I'm hoping to get to that this week. I'm not sure that helps you out all that much, but I will report back when I can push my changes. |
I haven't forgotten about this PR. I'm hoping to have some time to dedicate to this and #158 sometime this quarter. |
I tried to merged this and #224 but when I'm trying to test it I get:
Do you have a list of env vars needed to be set to make this work ? |
This should get you in the right ballpark. sso-auth:
sso-proxy:
|
We discovered a subtle bug in the implementation around nested groups but haven't tracked it down yet. Currently it's possible to list overlapping groups (i.e. both a parent and a child group) which should be granted access, and instead of the expected outcome, access is denied when the child group is listed, but granted when it is removed if the user belongs to a child group not on the list that is also a member of the parent group. |
Hello. Any updates? Thank you. |
How can we work towards getting this merged? Let me know how I can help.. |
This PR is effectively abandoned. We're no longer using Azure AD and we're unable to dedicate any resources to this PR. If anyone else wants to pick it up, by all means. |
This pull request implements support for Azure AD as an identity provider. It supports groups passed to the upstream via the
X-Forwarded-Groups
header.Notes
Requires "Read All Groups" / "Read Directory Data" app-level permissions, as well as "Sign in and read user profile" delegated permissions. The former requires either full Azure admin role or Cloud app admin role in order to approve. The following environment variables must be set:
I haven't fiddled with timeouts as part of this PR, but they probably need to be extended because first-time sign-in can take much longer due to requiring a large number of API calls. These are done concurrently, but even so, there's a significant risk of timeout waiting on the API calls to finish on the first go-around.
This PR also adds the OIDC provider, though I don't personally have a good generic OIDC provider to actually QA it against.
Fixes #98
See also #27