Azure AD support

[tomsmyers]

i'm working on an integration with azure AD. after a successful login, vouch unpacks the body of the OIDC /userinfo response into a structs.User object, which takes values from fields username, email etc.

vouch-proxy/pkg/providers/openid/openid.go

Line 55 in 531fc6f

if err = json.Unmarshal(data, user); err != nil {

when constructing the jwt to store, the claims are constructed using this structs.User.Username.

vouch-proxy/pkg/jwtmanager/jwtmanager.go

Line 81 in 1f68466

u.Username,

later when checking the token in /validate, vouch checks if the username is populated and returns 401 if is not.

vouch-proxy/handlers/validate.go

Line 48 in 4b6d226

if claims.Username == "" {

this logic makes the assumption that username is included in the /userinfo response, which in my case it is not. 😞

is there a way to take information like this from the ID token instead of the /userinfo response? in azure AD, i can't configure which fields are included in the /userinfo response (e.g. to add the user's email address), but i can configure which fields are included in the tokens.

vouch config for posterity:

VOUCH_JWT_MAXAGE=20
VOUCH_ALLOWALLUSERS=true
VOUCH_LOGLEVEL=debug
VOUCH_COOKIE_SECURE=false
VOUCH_COOKIE_DOMAIN=localhost

OAUTH_PROVIDER=oidc
OAUTH_CLIENT_ID=...
OAUTH_CLIENT_SECRET=...
OAUTH_BASEURL=https://login.microsoftonline.com/...
OAUTH_AUTH_URL=https://login.microsoftonline.com/.../oauth2/v2.0/authorize
OAUTH_TOKEN_URL=https://login.microsoftonline.com/.../oauth2/v2.0/token
OAUTH_USER_INFO_URL=https://graph.microsoft.com/oidc/userinfo
OAUTH_SCOPES=openid,profile,email
OAUTH_CALLBACK_URLS=http://localhost:9090/auth

[bnfinet]

@tomsmyers have you tried using the adfs provider? IIRC it uses the same interfaces as Azure AD. A quick view of the adfs.go code shows it falling back to using the UPN if an email isn't present.

https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_adfs

[tomsmyers]

unfortunately using the adfs provider does not work with azure AD; you get the error The 'resource' request parameter is not supported. when redirecting to the login page.

[bnfinet]

@simongottschlag do you have any insight into Azure AD setups? ^^

@tomsmyers if you'd care to add a new provider at providers/azure/azure.go I'd be happy to accept a PR. I'm not a user of Azure so I'm not in a position to test/support Azure AD at this time.

[simongottschlag]

@bnfinet Azure AD has their own quirks compared to ADFS. The resource query parameter is required with ADFS to populate the claims correctly while causing issues with Azure AD.

There are also differences with using Azure AD with a single tenant and using the “multi-tenant” endpoints and may require additional configuration to get both working.

[tomsmyers]

thanks for the comments, i opened a PR to add support for my azure ad config by simply mapping upn claim to username and email (based on the docs, upn is an email address), unless the fields already exist in the token.

#292

[bnfinet]

@tomsmyers thanks much for the addition to VP!