-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current plugin does not support Azure AD authentication #7
Comments
Thanks for the suggestion. Few feedbacks as below:
2.a. Can you elaborate this a bit more? 2.b. Indeed, scope value can be an array. Documentation needs to be updated to reflect this. |
On the first item here about validating the aud with the node identity, it makes sense what is there today. In the case of AAD, because its an full identity service, the audience value is the "application" that represents the actual application that is deployed. (details). With AAD, the client should validate the application id based on application configuration with the token received. On 2a, to elaborate. The token generated by AAD will preface each scope with the application id uri (the id that represents this unique application registration (format: api://). On 2b, good deal, I will test this. |
1 ) I see, so the responsibility is with the client to verify the 2b) Got it. The current scope is also of URI format (e.g.: |
@trung unfortunately opting out of the |
|
@trung I'm obviously not @caleteeter, but I'm weighing in to keep things moving along... It seems logical that in cases when the resource server is a policy enforcement point (as quorum is in this case), it would need to know its own application id. Otherwise how does it know that the inputs for the policies that its enforcing are valid in the context of its own application scope? |
Sorry for the lag here, got a few plates spinning. I did discuss this case with someone on the AAD team. Here is what I was thinking. The aud value will be a URI: api://. I was thinking that this will be present in the access token presented to the plugin and the plugin is preconfigured with the check for the correct audience. In this case Quorum is the client validating this audience. This looks similar to the hydra setup, where the access token requested by the user, include the audience. In our case this in the URI. Would that not suffice? |
The current plugin has some incompatibilities with Azure AD authentication.
The audience value cannot be set to the format in the current plugin for AAD (Node1,Node2). The reason is the audience value for the token from AAD using an application id uri scheme. (e.g. api://qrm) to uniquely identify the application (and token).
The scope format used the current plugin has 2 incompatibilities.
a) The application uri scheme will preface each custom scope (e.g. api://qrm/)
b) The token format for the scopes is space delimited, not a string array.
I have a fork, working on the changes and will PR them.
The text was updated successfully, but these errors were encountered: