Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-10

Azure Active Directory OIDC

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • None

      Working with MS folks to make sure that AAD OIDC works well with our groups integration (which will be useful for OS on Azure).

       

      1. Encountered issues with distributed groups claims in Azure OIDC v1 (not spec compliant because this uses the Azure graph API)
        1. Work is being done to include more groups in the token without the need for the distributed claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
      2. Groups are sent as GUIDs which is not useful in OS/Kube
        1. App roles may help (these are app specific and thus have nicer security properties): https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
        2. Work is being done to support sending group names instead of GUIDs
      3. Learned about Azure OIDC v2
        1. https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
        2. This should work really well with OS
          1. Seems to be missing the email and preferred_username claim (could be configuration issue)
      4. ...

              slaznick@redhat.com Stanislav Láznička (Inactive)
              monisk Monis Khan (Inactive)
              Xingxing Xia Xingxing Xia
              Votes:
              4 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: