OIDC - Entra ID (Microsoft Azure AD)

[TWBrown42]

Hi, thanks in advance for any advice on this.

I have stood up Artifacthub on my AWS EKS cluster using the helm chart. IWe are wanting to provide a sign on using our Azure AD Company Tenant. I've set up the Application Registration and as far as I can tell after performing a sign in request I get token Access and id tokens back. The "as far as I can tell" is because I can only see the callback coming via dev tools in chrome but I have taken that code and made the necessary manual requests to the token end point and get a response that contain and the id and access tokens. Looking I have flagged to skip email verification (as there is no such attribute available in Entra ID) but I fail to get a session cookie, hence the /api...profile call fails with a 401 Unauthorised error. I've not bee able to work out what my config to token is missing.

I include my redacted values file for more information.

imageTag: v1.22.0
postgresql:
  enabled: true
  auth:
    username: artifacthub
    password: blah-blah-blah
    database: artifacthub
  primary:
    persistence:
      enabled: true
      size: 10Gi
      storageClass: gp3
log:
  level: debug

hub:
  deploy:
    nodeSelector:
      kubernetes.io/arch: "amd64"
    replicaCount: 1
  server:
    baseURL: https://artifact-hub.blah.blah
    allowUserSignUp: true
    oauth:
      oidc:
        enabled: true
        scopes:
          - openid
          - profile
          - email
        skipEmailVerifiedCheck: true
        issuerURL: https://login.microsoftonline.com/blah-tenantid-blah/v2.0
        redirectURL: https://artifact-hub.blah.blah/oauth2/callback
        clientID: 756fa3f3-blah-blah-blah-blahblahblah
  image:
    repository: artifacthub/hub

Here is an example id token:-

{
"aud": "756fa3f3-blah-blah-blah-blahblahblah",
"iss": "https://login.microsoftonline.com/blah-tenantid-blah/v2.0",
"iat": 1773743617,
"nbf": 1773743617,
"exp": 1773747517,
"email": "[email protected]",
"family_name": "Brown",
"given_name": "T",
"name": "T Brown",
"oid": "a0461e37-f5a7-488a-a4ed-ec349bbcd10b",
"preferred_username": "[email protected]",
"rh": "1.AQsAw_X_n_q9nUq1lf9oMplF7_Ojb3Xr1tJLklHVT5YgwnmEAHcLAA.",
"sid": "002eb90a-4246-7508-645a-1098d1058380",
"sub": "9hRHrdwHewsJo_hHMOh7MCe2S0tvUdrHWYegHAEvleg",
"tid": "blah-tenantid-blah",
"uti": "spRyhiuGpU6fFJKCrlUMAA",
"ver": "2.0"
}

From Dev tools I see the incoming callback (my redirect I registered):-
https://artifact-hub.990819709354.pbu.internal/oauth2/callback?code=...very long code&session_state=00308dca-5af6-2683-0eff-010b95b614db

If anyone has had this working with Entra ID I'd be grateful for any pointers. I do get api responses from Status and random albeit I have not configured anything else so would not expect to see much in the front end.

I'm sure this must be a well trodden path so perhaps I am missing some key documentation or configuration.

If I can provide anything further please let me know.

[tegioz]

Hi @TWBrown42 👋

Did you see any errors in the hub(s) logs? If there's something wrong with the authentication flow, there should be something in there.

[tegioz]

No worries 🙂

It looks like the OIDC flow completed successfully. Any issue during that flow should be raised as an error, so setting the log level to debug or trace shouldn't produce any extra output in this particular case.

If the flow is working fine, you should have the user and the session registered in the database. Otherwise you'd see some errors in the logs. Could you check the database and look for those entries?

In that case, the rest would be asking the browser to set the cookie. Is it possible that you have enabled "secure cookie" in the hub configuration but the hub service isn't using https yet?

[TWBrown42]

I checked the user and session table no entries - other than a single user "artifacthub" which is the one that used as part of the helm db username. I do have secure cookies set some "secret-values" below:-
hub:
server:
cookie:
secure: true
hashKey: "xnr69ZZKtyq+0EJyI8.......WVl7OApleQguhzVf1DM"
csrf:
secure: true
authKey: "3OLL5JnjtE....aknsXt6re6dNuzMwzd0J"
oauth:
oidc:
clientSecret: "R._blahblahblah_uRBulV3afB"

and I am running Artifact behind my clusters ingress-nginx which is doing the tls - the traffic from nginx to artifact is http...could that be a problem? - do I need to tell artifact that it is behind a proxy? I know I have had to do that with other products (ArgoCD for example).

[tegioz]

It's weird not having anything on those tables and not seeing any errors in the logs, we raise them on every step that can fail:

hub/internal/handlers/user/handlers.go

Lines 432 to 515 in 53bc0ab

	// OauthCallback is an http handler in charge of completing the oauth
	// authentication process, registering the user if needed.
	func (h *Handlers) OauthCallback(w http.ResponseWriter, r *http.Request) {
	logger := h.logger.With().Str("method", "OauthCallback").Logger()
	// Validate oauth code and state
	code := r.FormValue("code")
	if code == "" {
	logger.Error().Msg("oauth code not provided")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	state, err := NewOauthState(r.FormValue("state"))
	if err != nil {
	logger.Error().Msg("oauth state not provided")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	stateCookie, err := r.Cookie(oauthStateCookieName)
	if err != nil {
	logger.Error().Err(err).Msg("state cookie not provided")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	if state.Random != stateCookie.Value {
	logger.Error().Err(err).Msg("invalid state cookie")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	stateCookie = &http.Cookie{
	Name: oauthStateCookieName,
	Path: "/",
	Expires: time.Now().Add(-24 * time.Hour),
	}
	http.SetCookie(w, stateCookie)
	// Register user if needed, or return his id if already registered
	provider := chi.URLParam(r, "provider")
	providerConfig := h.oauthConfig[provider]
	oauthToken, err := providerConfig.Exchange(r.Context(), code)
	if err != nil {
	logger.Error().Err(err).Msg("oauth code exchange failed")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	userID, err := h.registerUserWithOauth(r.Context(), provider, providerConfig, oauthToken)
	if err != nil {
	logger.Error().Err(err).Msg("oauth code exchange failed")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	// Register user session and set session cookie
	ip, _, _ := net.SplitHostPort(r.RemoteAddr)
	session, err := h.userManager.RegisterSession(r.Context(), &hub.Session{
	UserID: userID,
	IP: ip,
	UserAgent: r.UserAgent(),
	})
	if err != nil {
	logger.Error().Err(err).Msg("registerSession failed")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	encodedSessionID, err := h.sc.Encode(sessionCookieName, session.SessionID)
	if err != nil {
	logger.Error().Err(err).Msg("sessionID encoding failed")
	http.Redirect(w, r, oauthFailedURL, http.StatusSeeOther)
	return
	}
	sessionCookie := &http.Cookie{
	Name: sessionCookieName,
	Value: encodedSessionID,
	Path: "/",
	Expires: time.Now().Add(sessionDuration),
	HttpOnly: true,
	SameSite: http.SameSiteLaxMode,
	}
	if h.cfg.GetBool("server.cookie.secure") {
	sessionCookie.Secure = true
	}
	http.SetCookie(w, sessionCookie)
	http.Redirect(w, r, state.RedirectURL, http.StatusSeeOther)
	}

Doing the TLS termination on the proxy side should be fine.

Can you try signing up and logging in using email auth instead of OIDC? It could be helpful to also try logging in using GitHub, as most of the auth flow is shared with OIDC. Just to collect more information that can help.

I'll let you know if I can think of something else 🤔🙂

[TWBrown42]

Got it! Looking at the routing code for the oauth I found my path was incorrect:-

For the oidc option the callback is expecting to be on oauth/oidc/callback not oauth2/callback! Now sorted - I've no idea where I got oauth2 and my path.

Thanks for your support, it indirectly made me look at the paths.

[tegioz]

Awesome, glad you got it working! 🎉

[TWBrown42]

if you are using the general oauth option rather than Google or GitHub then your redirect will be /oauth/oidc/callback.