dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Microsoft connector - corporate proxy support (Entra ID)

Open ap0phi5 opened this issue 1 year ago • 0 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

In many corporate environments, it is a common pattern to implement a MITM firewall for outgoing connections. For the "microsoft" connector, connectivity from a Dex installation to Entra ID needs to traverse to https://login.microsoftonline.com/<TENANT>.onmicrosoft.com/... to request the bearer token as part of the authorisation flow.

The corporate firewall has a MITM proxy so it can do traffic inspection. However by doing so, the TLS connection is terminated early with a replacement CA of the organisation's internal PKI.

Proposed Solution

It seems that the Dex microsoft connector is missing support for two features to make this possible:

  1. Support for Custom CAs - level=error msg="Failed to authenticate: microsoft: failed to get token: Post \"https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/token\": tls: failed to verify certificate: x509: certificate signed by unknown authority" I believe RootCA has been implemented in other connectors, but not this one.

  2. Support for http_proxy This can be worked around by forcing a http[s]_proxy env variable into the container, but is not ideal as it affects the whole dex installation. It would be preferable if this is also part of the connector config.

Alternatives Considered

No response

Additional Information

No response

ap0phi5 avatar Oct 10 '24 11:10 ap0phi5