How to configure multi-tenant AD using OpenID Connect

SAP / luigi

Micro frontend framework

https://luigi-project.io

Apache License 2.0

830 stars 171 forks source link

How to configure multi-tenant AD using OpenID Connect #3402

Closed bppn closed 1 year ago

bppn commented 1 year ago

We use a multi-tenant setup with Azure AD.

We use the following config for the PKCE flow:

    use: 'ad',
    storage: 'sessionStorage',
    ad: {
      idpProvider: OpenIdConnect,
      authority: 'https://login.microsoftonline.com/common/v2.0',
      logoutUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
      scope: 'openid profile email',

      // for PKCE flow
      client_id: 'xxxxxxxx', // example oidc-mockserver client id
      response_type: "code", // for PKCE
      response_mode: "fragment", // change between `query` and `fragment`
    }
  },

However, there is a problem with the issuer validation: Error: Invalid issuer in token: https://login.microsoftonline.com/xxxxxxxx/v2.0 at t.validateJwtAttributes (localhost:4200/assets/luigi-config.js:2:241868) at localhost:4200/assets/luigi-config.js:2:61258

How to configure OpenID connect to support the multi-tenant setup of an AD application?

JohannesDoberer commented 1 year ago

Hello @bppn, it is really hard to analyze the issue. Is it the whole auth config you are using? One of the issue could be that you are using the common endpoint rather than the tenant specific endpoint. Can you check that?

bppn commented 1 year ago

Hello @JohannesDoberer ,

In order to use Azure Active Directory in a multi-tenant setup, the common endpoint is required:

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

The issuer will be the tenant that the end-user authenticates to.

A normal setup would be to either allow all issuers or have a curated list of issuers that are allowed (most of the time dynamically by a DB lookup).

I do not see any option in Luigi to properly setup issuer validation out-of-the box.

JohannesDoberer commented 1 year ago

Hello @bppn, if you are using our OpenID Connect plugin you can add the issuer validation to the settings. So if OpenID Connect plugin, please take a look how it is done for oidc-client-js. We just pass the settings to the oidc-client-js lib.

Something like that should help:

ad: {
      idpProvider: OpenIdConnect,
      authority: 'https://login.microsoftonline.com/common/v2.0',
      logoutUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
      scope: 'openid profile email',

      // for PKCE flow
      client_id: 'xxxxxxxx', // example oidc-mockserver client id
      response_type: "code", // for PKCE
      response_mode: "fragment", // change between `query` and `fragment`,
      metadata:{
        issuer: 'YOUR_VALUE',
        authorization_endpoint:'YOUR_VALUE',
        userinfo_endpoint:'YOUR_VALUE'
        end_session_endpoint:'YOUR_VALUE',
        jwks_uri:'YOUR_VALUE'
    }

If you are not using our plugin, it is also possible to add a custom authorization provider.

bppn commented 1 year ago

OK, thanks for the feedback.

Since issuer can be any value in case of multi-tenant auth, the oidc client doesn't seem a matching option.

I will take a look into the custom provider.