weave-gitops icon indicating copy to clipboard operation
weave-gitops copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

OIDC Azure Integration fails

Open tomhuang12 opened this issue 2 years ago • 7 comments

Describe the bug

After setting up oidc-auth secret and restarting the deployment, the pod goes into CrashLoopBackOff state with error:

Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "[https://login.microsoftonline.com/{tenantid}/v2.0](https://login.microsoftonline.com/%7Btenantid%7D/v2.0)"

The Azure/Microsoft OIDC URL used is https://login.microsoftonline.com/organizations/v2.0. The resulting OIDC config returns "https://login.microsoftonline.com/{tenantid}/v2.0" from the Microsoft side which causes the failure.

Environment

  • Weave-Gitops Version: v0.8.1
  • Flux Version: v0.31
  • Kubernetes version: v1.22.6

To Reproduce Steps to reproduce the behavior:

Go through setting up OIDC using Azure's OIDC configuration. (I can provide detailed steps on the Azure side if needed.)

Expected behavior

OIDC should work with Azure/Microsoft OIDC.

Actual Behavior

OIDC auth fails to work.

Additional Context (screenshots, logs, etc)


2022-06-16T13:07:25.254Z    INFO    gitops    cmd/cmd.go:99    Version    {"version": "v0.0.0", "git-commit": "", "branch": "", "buildtime": ""}
I0616 13:07:26.306156       1 request.go:665] Waited for 1.026852261s due to client-side throttling, not priority and fairness, request: GET:https://172.16.0.1:443/apis/operators.coreos.com/v1alpha2?timeout=32s
Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "https://login.microsoftonline.com/{tenantid}/v2.0"
Usage:
   [flags[]
Flags:
      --dev-mode                                 Enables development mode
      --dev-user string                          Sets development User (default "wego-admin")
  -h, --help                                     help for this command
      --host string                              UI host (default "0.0.0.0")
      --insecure                                 do not attempt to read TLS certificates
      --log-level string                         log level (default "info")
      --mtls                                     disable enforce mTLS
      --notification-controller-address string   the address of the notification-controller running in the cluster
      --oidc-client-id string                    The client ID for the OpenID Connect client
      --oidc-client-secret string                The client secret to use with OpenID Connect issuer
      --oidc-issuer-url string                   The URL of the OpenID Connect issuer
      --oidc-redirect-url string                 The OAuth2 redirect URL
      --oidc-token-duration duration             The duration of the ID token. It should be set in the format: number + time unit (s,m,h) e.g., 20m (default 1h0m0s)
      --path string                              Path url
      --port string                              UI port (default "9001")
      --tls-cert-file string                     filename for the TLS certificate, in-memory generated if omitted
      --tls-private-key-file string              filename for the TLS key, in-memory generated if omitted
Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "https://login.microsoftonline.com/{tenantid}/v2.0"

tomhuang12 avatar Jun 16 '22 13:06 tomhuang12

I am also trying to integrate Azure OIDC. I somehow followed the tutorial: https://docs.microsoft.com/en-us/power-apps/maker/portals/configure/configure-openid-settings.

I was able to properly setup the issuerURL by using the "issue" value provided in the JSON in the "well-known" endpoint.

After that, I created a secret for clientID and clientSecret.

Finally, I tested and I was able to get to the microsft Login page.

However, I hit another barrier. The gitops-server uses a custom unsupported scope "groups". And I get this error:

image

For that I will create another issue...

excelsi0r avatar Jul 28 '22 16:07 excelsi0r

@excelsi0r Yeah I encountered the similar issue but some other errors came up. I am using keycloak as a proxy currently and had to add "groups" to the scope. Dex is another option that can provide these scopes.

tomhuang12 avatar Jul 28 '22 17:07 tomhuang12

I also believe that with custom Dex or a proxy it might be solved. But I don't intend to use them. Thank you anyway!

excelsi0r avatar Jul 28 '22 17:07 excelsi0r

Duplicate: https://github.com/weaveworks/weave-gitops/issues/2507

LukaszRacon avatar Sep 15 '22 03:09 LukaszRacon

just in case anyone is interested, i made it work check https://github.com/weaveworks/weave-gitops/issues/2507#issuecomment-1362687065

ppodevlabs avatar Dec 22 '22 10:12 ppodevlabs

This one can be closed - see above solution or https://github.com/weaveworks/weave-gitops/pull/2745#issuecomment-1434189481

LukaszRacon avatar Feb 17 '23 07:02 LukaszRacon

Changed to a docs issue, to ensure it's covered in the user guide

lasomethingsomething avatar Sep 14 '23 14:09 lasomethingsomething