Unclear documentation for configuring multiple redirect URIs in Azure AD authentication

[qdrop17]

Summary

The process of configuring multiple redirect URIs for Azure AD-enabled authentication is not well documented. The relevant documentation can be found at:

• https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad#optional-configure-authentication-with-multiple-rancher-domains
• https://github.com/rancher/rancher-docs/blob/a4be67af2300558090ebc51b2690bc34ba6e7881/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md?plain=1#L230

While the file provided contains the necessary information, it is presented as a key-value pair rather than a list. As a result, we are unsure how to configure an additional redirect URI for our external exposure.

kubectl get authconfigs.management.cattle.io azuread -o yaml
accessMode: unrestricted
apiVersion: management.cattle.io/v3
applicationId: xxx
applicationSecret: cattle-global-data:azureadconfig-applicationsecret
authEndpoint: https://login.microsoftonline.com/xxx/oauth2/v2.0/authorize
enabled: true
endpoint: https://login.microsoftonline.com/
graphEndpoint: https://graph.microsoft.com
kind: AuthConfig
metadata:
  annotations:
    auth.cattle.io/azuread-endpoint-migrated: "true"
    management.cattle.io/auth-provider-cleanup: unlocked
  creationTimestamp: "2023-11-21T08:27:18Z"
  generation: 4
  labels:
    cattle.io/creator: norman
  name: azuread
  resourceVersion: "7988248"
  uid: xxx
rancherUrl: https://xxx/verify-auth-azure
status:
  conditions:
  - status: "True"
    type: SecretsMigrated
tenantId: xxx
tokenEndpoint: https://login.microsoftonline.com/xxx/oauth2/v2.0/token
type: azureADConfig

It would be great to clarify how this can be done properly.

Related Issues

https://github.com/rancher/rancher/issues/23671

[martyav]

@qdrop17 unfortunately, the mapping here is one to one, and can't accept a list of values. The one thing docs team can do here is clear up the wording to make that more evident.

[qdrop17]

@qdrop17 unfortunately, the mapping here is one to one, and can't accept a list of values. The one thing docs team can do here is clear up the wording to make that more evident.

Okay, got it. Do you mind mentioning someone from the development team to clarify this feature? To us, it's unclear if Rancher supports multiple redirect URIs or not. We would greatly appreciate this capability.

[martyav]

@JonCrowther or @samjustus could you address?

To us, it's unclear if Rancher supports multiple redirect URIs or not. We would greatly appreciate this capability.

[JonCrowther]

That's correct. You can modify the 1 listed domain manually, but never have more than one at the same time. As far as supporting multiple, it is on our radar, but hasn't been prioritized yet. If you'd like to leave a comment on https://github.com/rancher/rancher/issues/23671, that would help bring attention to the feature.