weave-gitops
weave-gitops copied to clipboard
weaveworks
OIDC integration with Azure fails "NO DATA" once impersonated
OIDC integration with Azure fails due to missing 'groups' scope
Environment
Weave-Gitops Version 0.38.0 Flux Version 2.2.3 Kubernetes versionv 1.27.10-eks-508b6b3 To Reproduce Steps to reproduce the behavior:
Create a new App Registration in Azure Active Directory Configure oidc in helm chart Deploy Attempt to login via OIDC
No data ...
Still having issue with the no data message when usinc ODCI and AzureAD
I read and apply recomendations from this thread [(https://github.com/weaveworks/weave-gitops/issues/2507)]
Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token.
Found principal {"user": "***", "groups": ["***"], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message
"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\" cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}
Content of oidc-auth secret:
Client ID: {{ .client_id }}
Client Secret: {{ .client_secret }}
Custom Scopes: openid,profile,offline_access,email
Issuer URL: https://login.microsoftonline.com/bfce736f-*****/v2.0
Redirect URL: https://weave-gitops.sbx-00.001.wcld.************/oauth2/callback
I can see the data using the "admin" user (basic authentifcation, no OIDC)
Anyone have any ideas how to solve this issue once for all ?
Thank you !
Regards
Robert
