Problem with custom signing keys (kid) when using claims mapping in Azure AD

[dertodestod]

About You: Name: Thomas

Your question: Hi everyone,

we were able to succesfully connect Tableau with our Amazon Athena environment using the recently released Amazon Athena connector which supports OAuth authentication (https://help.tableau.com/current/pro/desktop/en-us//amazon_athena_idp.htm).

To make it work we 'combined' the configs found at https://github.com/tableau/connector-plugin-sdk/blob/master/samples/components/oauth/athena.okta.xml and https://github.com/tableau/connector-plugin-sdk/blob/master/samples/components/oauth/redshift.azure.xml and we are using Azure Ad/Entra Id as our IdP.

That works relatively well, however we are missing the ability to use multiple IAM roles with 1 application via SAML Assertions (e.g. 'https://aws.amazon.com/SAML/Attributes/Role') which we are getting with a similar SAML setup for other tools using for example JDBC. Now we want to use something like AWS IAM Session tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp) or Source Identity (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-assume-role-web-id) but for that we need custom claims in our Azure application so the fields are available in the jwt token.

Now, the problem is when we add custom claims Azure is using a different signing key as Microsoft themselves state in their documentation:

"If the application has custom signing keys as a result of using the claims-mapping feature, append an appid query parameter that contains the application ID. For validation, use jwks_uri that points to the signing key information of the application. For example: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=535fb089-9ff3-47b6-9bfb-4f1264799865 contains a jwks_uri of https://login.microsoftonline.com/{tenant}/discovery/keys?appid=535fb089-9ff3-47b6-9bfb-4f1264799865."

"Apps that have claims mapping enabled must validate their token signing keys by appending appid={client_id} to their OpenID Connect metadata requests."

See https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-the-signature or https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#validate-token-signing-key.

That means as soon as we attach custom claims to the application the key (kid) in the jwt token is changed on Azure side but the Tableau connector still uses the default keys from https://login.microsoftonline.com/{tenant}/discovery/keys which leads to mismatching keys and errors.

Unfortuately, I don't see a way of telling Tableau to use the custom OpenID Connect metadata links or just a custom jwks_uri (which appends the appid) because in the pluginOAuthConfig .xml file I can only define the authUri and tokenUri.

Can you let me know if there is a way to change that behavior of the Tableau connector via some configuration? If not, do you think it's possible to add a configuration for this to support these custom claims when using Azure? Thanks a lot.

Best regards Thomas

[lukewrites]

Internal tracking: W-14661582