-
Story
-
Resolution: Won't Do
-
Major
-
None
-
None
Working with MS folks to make sure that AAD OIDC works well with our groups integration (which will be useful for OS on Azure).
- Encountered issues with distributed groups claims in Azure OIDC v1 (not spec compliant because this uses the Azure graph API)
- Work is being done to include more groups in the token without the need for the distributed claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
- Groups are sent as GUIDs which is not useful in OS/Kube
- App roles may help (these are app specific and thus have nicer security properties): https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
- Work is being done to support sending group names instead of GUIDs
- Learned about Azure OIDC v2
- https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
- This should work really well with OS
- Seems to be missing the email and preferred_username claim (could be configuration issue)
- ...