Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-130

Azure Active Directory OIDC

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Obsolete
    • Icon: Major Major
    • 2021Q3 Plan
    • None

      Working with MS folks to make sure that AAD OIDC works well with our groups integration (which will be useful for OS on Azure).

       

      1. Encountered issues with distributed groups claims in Azure OIDC v1 (not spec compliant because this uses the Azure graph API)
        1. Work is being done to include more groups in the token without the need for the distributed claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
      2. Groups are sent as GUIDs which is not useful in OS/Kube
        1. App roles may help (these are app specific and thus have nicer security properties): https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
        2. Work is being done to support sending group names instead of GUIDs
      3. Learned about Azure OIDC v2
        1. https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
        2. This should work really well with OS
          1. Seems to be missing the email and preferred_username claim (could be configuration issue)
      4. ...

              slaznick@redhat.com Stanislav Láznička (Inactive)
              monisk Monis Khan (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: