LXD OIDC against ADFS should support different URL for issuer and acces_token_issuer

[qch2012]

Required information

• Distribution: Ubuntu
• Distribution version: 20.04, 22.04
• The output of "snap list --all lxd core20 core22 core24 snapd":

snap list --all lxd core20 core22 core24 snapd
Name    Version         Rev    Tracking       Publisher   Notes
core20  20240416        2318   latest/stable  canonical✓  base,disabled
core20  20240705        2379   latest/stable  canonical✓  base
core22  20240823        1612   latest/stable  canonical✓  base,disabled
core22  20240904        1621   latest/stable  canonical✓  base
core24  20240528        423    latest/stable  canonical✓  base,disabled
core24  20240710        490    latest/stable  canonical✓  base
lxd     5.21.2-22f93f4  29948  5.21/stable    canonical✓  disabled
lxd     5.21.2-2f4ba6b  30131  5.21/stable    canonical✓  -

• The output of "lxc info" or if that fails:
  • Kernel version: 5.4.0-195-generic
  • LXC version: 5.21.2 LTS
  • LXD version: 5.21.2 LTS
  • Storage backend in use: ZFS

Issue description

When trying OIDC authentication against ADFS, the LXD server may return issuer does not match error

Error: Failed OIDC Authentication: Failed to authenticate: Failed to verify access token: issuer does not match: Expected: https://ADFS.lab.ob32.com/adfs, got: http://ADFS.lab.ob32.com/adfs/services/trust

This is because ADFS by default use different URLs for access_token_issuer and issuer, as seen in the adfs/.well-known/openid-configuration endpoint

{
  "issuer": "https://ADFS.lab.ob32.com/adfs",
  ...
  "access_token_issuer": "https://ADFS.lab.ob32.com/adfs/service/trust",
}

The access_token_issuer value seems to be taken from the federation service identifier

So one workaround is to change the federation service id URL to match the issuers URL, but this approach is far from ideal as it is a global setting change that would affect all users

It seems access_token_issuer is ADFS specific that do not conform to OIDC spec

.
The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

While we can't change the ADFS behavior, probably we can improve the LXD server to either add a logic to process the access_token_issuer URL for ignore that field completely for compatibility reason, as suggested in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1030#issuecomment-428431082

Steps to reproduce

1. Step one: In freshly installed ADFS, configure application group
2. Step two: configure odic.client.id and oidc.issuer on LXD server side
3. Step three: try "login with SSO" in LXD GUI or "lxd remote add --type oidc"

[markylaing]

Given that access_token_issuer is not part of the OIDC spec and you have demonstrated that this can be circumvented I don't think we're likely to address this. I realise that the workaround is a global setting, but it is a global setting that should be set so that ADFS is OIDC compliant. Otherwise integrations with other applications will also fail.

[tomponline]

@markylaing shall we close this?

[markylaing]

Yes. We will not be adding a separate issuer config for access tokens. ADFS will be supported via sessions (see draft PR https://github.com/canonical/lxd/pull/15030) and setting the access token issuer to be the same as the issuer via ADFS configuration. We won't be supporting ADFS further than this because it is not recommended by Microsoft, who instead recommend EntraID (support for which will also be addressed by sessions).