OIDC integration with Azure fails due to missing 'groups' scope

[excelsi0r]

Describe the bug

OIDC integration with Azure fails due to missing 'groups' scope

Environment

• Weave-Gitops Version 0.9.0
• Flux Version 0.29.0
• Kubernetes version 1.22.11

To Reproduce Steps to reproduce the behavior:

1. Create a new App Registration in Azure Active Directory
2. Configure oidc in helm chart
3. Deploy
4. Attempt to login via OIDC

Expected behavior

Proper Authentication

Actual Behavior

Authentication fails because 'scope' groups is not in Microsoft Graph resource

Additional Context (screenshots, logs, etc)

I don't know if this is a known issue but the implementation of this custom scope limits integrations a lot. Maybe it is possible to make the groups 'scope' optional. Microsft Azure doesn't yet support custom scopes I believe.

By having this OIDC scopes, we are forced to only use customizable OIDC providers

[chuegel]

This happens with Keycloak 19.0.2 as well:

ERROR [org.keycloak.services] (executor-thread-149) KC-SERVICES0093: Invalid parameter value for: scope

INFO gitops.auth-server auth/server.go:226 authz redirect callback failed {"error": "invalid_scope", "error_description": "Invalid scopes: profile openid email groups"}
INFO gitops middleware/middleware.go:61 request error {"uri": "/oauth2/callback?error=invalid_scope&error_description=Invalid+scopes%3A+profile+openid+email+groups&state=eyJuIjoiZU5lMXBaSERvdjRzZURadUpRSUR2U05hdmRRVERvKzVSZ0pHRzBRYStiZz0iLCJyZXR1cm5fdXJsIjoiaHR0cHM6Ly9sYWItZ2l0b3BzLm5lb3NpdC5jb20ifQ%3D%3D", "status": 400}
INFO gitops middleware/middleware.go:61 request error {"uri": "/oauth2/userinfo", "status": 400} 

--

--

[LukaszRacon]

There is a PR that adds support for disabling group scope: https://github.com/weaveworks/weave-gitops/pull/2745

[chuegel]

I added the groups scope to the client but still complains with the error:

INFO gitops.auth-server auth/server.go:226 authz redirect callback failed {"error": "invalid_scope", "error_description": "Invalid scopes: profile openid email groups"}
INFO gitops middleware/middleware.go:61 request error {"uri": "/oauth2/callback?error=invalid_scope&error_description=Invalid+scopes%3A+profile+openid+email+groups&state=eyJuIjoiN2p5aUw5OW5hVTdORUlSWEZrUE16ZzlDRUFQQ05PT2s5ZHl5c2Nlbk1iST0iLCJyZXR1cm5fdXJsIjoiaHR0cHM6Ly9sYWItZ2l0b3BzLm5lb3NpdC5jb20ifQ%3D%3D", "status": 400} 

[ppodevlabs]

just in case anyone still facing this issue. I make it work with Azure AD.

Using version one of azure issuer. Instead of creating the secret i'm just passing the oidc configuration as additional arguments and change the email claim by upn

  values:
    additionalArgs:
    - --oidc-client-id={your_id}
    - --oidc-client-secret={your_secrets}
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://sts.windows.net/{tenant_id}/
    - --oidc-redirect-url=https://your-gitops-url/oauth2/callback
    - --oidc-username-claim=upn

WIth this configuration i'm able to impersonate users and groups.

[martin-adema]

In v0.15.0 the custom-oidc-scopes flag has been introduced #3234 I am now able to make it work with Azure AD Oauth 2.0 by leaving out the unsupported groups scope in the custom-oidc-scopes flag which is default [openid,offline_access,email,groups]

values:
  additionalArgs:
    - --auth-methods=oidc
    - --oidc-client-id={your_id}
    - --oidc-client-secret={your_secret}
    - --oidc-redirect-url=https://{your_gitops_url}/oauth2/callback
    - --oidc-issuer-url=https://login.microsoftonline.com/{tenant_id}/v2.0
    - --custom-oidc-scopes=openid,offline_access,email

[LukaszRacon]

Verified that it is working v0.17.0.

[admincasper]

In v0.15.0 the custom-oidc-scopes flag has been introduced #3234 I am now able to make it work with Azure AD Oauth 2.0 by leaving out the unsupported groups scope in the custom-oidc-scopes flag which is default [openid,offline_access,email,groups]

values:
  additionalArgs:
    - --auth-methods=oidc
    - --oidc-client-id={your_id}
    - --oidc-client-secret={your_secret}
    - --oidc-redirect-url=https://{your_gitops_url}/oauth2/callback
    - --oidc-issuer-url=https://login.microsoftonline.com/{tenant_id}/v2.0
    - --custom-oidc-scopes=openid,offline_access,email

This solution worked for us also. But we were not getting any data when logging in, since we have assigned RBAC to an Azure AD group and not specifically to any users with our clusterrolebinding.

With help from @makkes we ran pods with logLevel: debug and saw that groups object was empty:

Found principal {"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}

Adding an optional groups claim under app registration > Token configuration solved this 'no groups' issue.

[rlaflamme]

No data ...

@admincasper Same issue here using v.0.38.0 .. but no luck . Group is set in optional claims and I can see them in the token.

Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message

"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\"   cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}

Content of oidc-auth secret:

        Client ID:      {{ .client_id }}
        Client Secret:  {{ .client_secret }}
        Custom Scopes:  openid,profile,offline_access,email
        Issuer URL:     https://login.microsoftonline.com/bfce736f-*****/v2.0
        Redirect URL:   https://weave-gitops.sbx-00.001.wcld.************/oauth2/callback

I can see the data using the "admin" user (basic authentifcation, no OIDC)

Anyone have any ideas how to solve this issue ?

Regards

Robert