dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Enable Workload Identity for Azure AD and Microsoft Connector

Open avosepp opened this issue 1 year ago • 3 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

The Microsoft connector is limited to using a Client ID and Client Secret for authentication with an Azure App Registration. It is possible to use Workload Identity Federation on Dex when installed in Kubernetes.

Client Secrets often have short lifespans and this can be a problem for system administrators to rotate regularly.

Proposed Solution

Allow the Microsoft Connector login via Microsoft Workload Identity Federation. If the end-user configures a Service Account and Federation correctly, Kubernetes will inject an environment variable named AZURE_FEDERATED_TOKEN_FILE. The path in the environment variable will lead to a file with an auth token that Dex should use to Auth. That token should be used to Authenticate as the client in Azure.

Alternatives Considered

No response

Additional Information

No response

avosepp avatar Aug 13 '24 18:08 avosepp

Any chance of this getting implemented? It is pretty straightforward per the solution, and avoids the need for secrets. Federated credentials are supported for app registrations so no need to manage secrets for intra id integrations.

richshadman avatar Aug 27 '25 16:08 richshadman

Looks like #3874 implements this but is not passing tests.

cardoe avatar Sep 03 '25 02:09 cardoe

Thanks for the update @cardoe ! Any chance that PR can get some fresh eyes? I'd take a poke at it if my go skills were better.

Our specific use case - we would not be using managed identities with federated credentials, but rather app registration with federated credentials. Should be the same for implementation on your end (either way binds to a clientid which goes to the underlying service principal in both cases) but wanted to make the distinction.

Our use case is for argo suite of tools. argocd natively supports oidc sso integration with workload identity, however workflows / agents only supports dex which requires a secret currently. If we could get dex working without the need of secrets that would be awesome as we could have a single dex sso configuration bound to intra id app registration via workload identity and avoid manual periodic secret rotation, or setting up a workflow to manage said secret rotations.

richshadman avatar Sep 04 '25 17:09 richshadman