add support for Azure OIDC

[LukaszRacon]

Two things are needed to support Azure OIDC:

• allow disabling "groups" scope
• combine roles with groups

1. Azure does not support "groups" scope - we need a way to disable it. There are a number ways of indicating intent: env var, cmd option, based on issuer url. I will leave decision on what is the best approach to Weave Works team. PR uses env var - helm chart config:

    envVars:
    - name: WEAVE_GITOPS_FEATURE_OIDC_GROUPS_SCOPE
      value: "false"

2. Azure registered application can be configured to send groups in jwt claim. Issues is that Azure sends group ids (which are uuids) and these are bad candidates for group names on k8s side. Better idea is to setup "App roles" in given Application on Azure side. These come as "roles" array in jwt token - hence update that merges Groups and Roles. Another idea for handling groups in Azure would be to map between group uuid and group on k8s side (this is how Argo team handled it).

Closes #2507, #2334

In case this is tested with impersonationResources: ["groups"] there is helm chart configuration issue: #2696 that warrants chart and documentation update.

[audunsolemdal]

Would be great if a maintainer could have a look at this

[ajhall]

This is also relevant to Google OIDC. The groups scope is unsupported, so we can't use Google accounts to sign in to the dashboard.

[ppodevlabs]

any chance this get merged any soon? this would be useful for us too

[martin-adema]

any ETA when this will be merged?

[makkes]

@foot would you be able to take a look at this, please? 🙏🏻

[jnbptstm]

Same issue with AWS Cognito.

[LukaszRacon]

Closing. Since https://github.com/weaveworks/weave-gitops/pull/3234 you can override scopes using secret's customScopes or --custom-oidc-scopes=openid,profile,email.

If you use Azure's App Roles you can also use claim's roles as groups just set secret's claimGroups: roles.

Longer version:

1. In Azure create app role weave-gitops-viewer-role, assign groups/users.
2. Setup secret (remove groups claim, set claimGroups to roles):

kind: Secret
metadata:
  name: oidc-auth
data:
  customScopes: openid,profile,email
  claimGroups: roles
  claimUsername: email
  clientID: ........-....-....-....-............
  clientSecret: ...
  issuerURL: https://login.microsoftonline.com/.../v2.0
  redirectURL: ...

3. Update helm chart values

    logLevel: debug
    additionalArgs:
      - "--auth-methods=oidc"
    rbac:
      impersonationResources: [ "groups" ]
      impersonationResourceNames: ["weave-gitops-viewer-role"]

4. Check logs, you should see {"user": "....", "groups": ["weave-gitops-viewer-role"],...}

Related solution: https://github.com/weaveworks/weave-gitops/issues/2507#issuecomment-1362687065

[audunsolemdal]

@LukaszRacon

I tried your solution, but I am stuck with the error

ERROR gitops.auth-server auth/server.go:479 failed to parse user info {"error": "missing \"xxx\" claim in response"}

I tried setting the claimUsername to various things such as email, upn and preferred_username, but they all give the same error. In chrome dev tools I see the cookie containing id_token and access_token. Inspecting them further it shows that the id_token does contain preferred_username while the access token contains email. Any idea what might be wrong?

[LukaszRacon]

@audunsolemdal

Double check if authorization request has email in scope. If you use Secret oidc-auth check if you have defined: customScopes: openid,profile,email

Is email associated with Azure AD account that you are using?

Try adding optional claim:

1. Token Configuration > +Add optional claim > ID > Email > Add.
2. API Permissions > +Add permission > Microsoft Graph > Delegated permissions > OpenID permissions > Email > Add permission.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims email: This value is included by default if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope. This value isn't guaranteed to be correct, and is mutable over time - never use it for authorization or to save data for a user. ...

[ppodevlabs]

Closing. Since #3234 you can override scopes using secret's customScopes or --custom-oidc-scopes=openid,profile,email.

If you use Azure's App Roles you can also use claim's roles as groups just set secret's claimGroups: roles.

Longer version:

1. In Azure create app role weave-gitops-viewer-role, assign groups/users.
2. Setup secret (remove groups claim, set claimGroups to roles):

kind: Secret
metadata:
  name: oidc-auth
data:
  customScopes: openid,profile,email
  claimGroups: roles
  claimUsername: email
  clientID: ........-....-....-....-............
  clientSecret: ...
  issuerURL: https://login.microsoftonline.com/.../v2.0
  redirectURL: ...

3. Update helm chart values

    logLevel: debug
    additionalArgs:
      - "--auth-methods=oidc"
    rbac:
      impersonationResources: [ "groups" ]
      impersonationResourceNames: ["weave-gitops-viewer-role"]

4. Check logs, you should see {"user": "....", "groups": ["weave-gitops-viewer-role"],...}

Related solution: #2507 (comment)

I just did a test and you can impersonate groups with the following configuration:

1. In azure configure your app to send the group claim: Token Configuration -> add group claim
2. Configure the deployment with:

    - --auth-methods=oidc
    - --oidc-client-id={your_id}
    - --oidc-client-secret={your_secret}
    - --oidc-redirect-url=https://{your_gitops_url}/oauth2/callback
    - --oidc-issuer-url=https://login.microsoftonline.com/{tenant_id}/v2.0
    - --custom-oidc-scopes=openid,offline_access,email
    - --oidc-groups-claim=groups

Then it works with groups

[audunsolemdal]

@LukaszRacon Thanks for the advice. I tested around a bit, and realized that the email attribute for my profile and a lot of other profiles in the organization is null, as we are external consultants without a valid mailbox. We do have a value at preferred_username and upn which in both cases are the username I login with. I've created other app registrations for AAD auth in the past (oauth2-proxy, Grafana AAD auth) and preferred_username worked fine.

My oidc-auth secret has the following attributes

    "customScopes"  = "offline_access,openid,profile"
    "claimGroups"   = "roles"
    "claimUsername" = "upn"
    "clientID"      = redacted
    "clientSecret"  = redacted
    "issuerURL"     = "https://login.microsoftonline.com/redacted/v2.0"
    "redirectURL"   = "https://redacted.no/oauth2/callback"

and additional args

    additionalArgs:
      - "--auth-methods=oidc"

I've added optional claims for both id_token and access_token for preferred_username and upn

Copy pasting the tokens from developer console into jwt.ms, the required claims are clearly there in both the access AND id tokens. I'm confused as to what the gitops-server is actually seeing, because the logs clearly still state ERROR gitops.auth-server auth/server.go:479 failed to parse user info {"error": "missing \"upn\" claim in response"}

[audunsolemdal]

It seems I made the above work by changing the issuerURL to use the v1 AAD endpoint ref. https://github.com/weaveworks/weave-gitops/issues/2507#issuecomment-1362687065

--oidc-issuer-url=https://sts.windows.net/{tenant_id}/

not really sure why this is required, but I am able to sign in using OIDC for the first time, so that's a start!

[ppodevlabs]

It seems I made the above work by changing the issuerURL to use the v1 AAD endpoint ref. #2507 (comment)

--oidc-issuer-url=https://sts.windows.net/{tenant_id}/

not really sure why this is required, but I am able to sign in using OIDC for the first time, so that's a start!

Scopes are different between v1/v2. So you can use upn as email is not an scope on v1. But upn is not an scope within v2, so it fail when you configure it as username-claim