Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-130

Azure Active Directory OIDC

    XMLWordPrintable

Details

    • Task
    • Resolution: Obsolete
    • Major
    • 2021Q3 Plan
    • None

    Description

      Working with MS folks to make sure that AAD OIDC works well with our groups integration (which will be useful for OS on Azure).

       

      1. Encountered issues with distributed groups claims in Azure OIDC v1 (not spec compliant because this uses the Azure graph API)
        1. Work is being done to include more groups in the token without the need for the distributed claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
      2. Groups are sent as GUIDs which is not useful in OS/Kube
        1. App roles may help (these are app specific and thus have nicer security properties): https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
        2. Work is being done to support sending group names instead of GUIDs
      3. Learned about Azure OIDC v2
        1. https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
        2. This should work really well with OS
          1. Seems to be missing the email and preferred_username claim (could be configuration issue)
      4. ...

      Attachments

        Activity

          People

            slaznick@redhat.com Stanislav Laznicka
            monisk Monis Khan (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: