feat(entra): add Workload Identity support for Entra ID (#2902)

2025-05-29 23:17:38 +02:00 · 2025-01-11 12:12:41 +01:00 · 2025-01-11 12:12:41 +01:00 · ae8fb08a89
commit ae8fb08a89
parent 60570cc60e
7 changed files with 169 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -15,6 +15,7 @@
 - [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header (@ondrejsika)
 - [#2620](https://github.com/oauth2-proxy/oauth2-proxy/pull/2620) fix: update code_verifier to use recommended method (@vishvananda)
 - [#2392](https://github.com/oauth2-proxy/oauth2-proxy/pull/2392) chore: extend test cases for oidc provider and documentation regarding implicit setting of the groups scope when no scope was specified in the config (@jjlakis / @tuunit)
 - [#2902](https://github.com/oauth2-proxy/oauth2-proxy/pull/2902) feat(entra): add Workload Identity support for Entra ID (@jjlakis)
 # V7.7.1
--- a/docs/docs/configuration/alpha_config.md
+++ b/docs/docs/configuration/alpha_config.md
@ -394,6 +394,7 @@ character.
 | Field | Type | Description |
 | ----- | ---- | ----------- |
 | `allowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
 | `federatedTokenAuth` | _bool_ | FederatedTokenAuth enable oAuth2 client authentication with federated token projected<br/>by Entra Workload Identity plugin, instead of client secret. |
 ### OIDCOptions
--- a/docs/docs/configuration/providers/ms_entra_id.md
+++ b/docs/docs/configuration/providers/ms_entra_id.md
@ -12,6 +12,7 @@ The provider is OIDC-compliant, so all the OIDC parameters are honored. Addition
 | Flag                        | Toml Field                 | Type           | Description                                                                                                                                                                                                                                                                               | Default |
 | --------------------------- | -------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `--entra-id-allowed-tenant` | `entra_id_allowed_tenants` | string \| list | List of allowed tenants. In case of multi-tenant apps, incoming tokens are issued by different issuers and OIDC issuer verification needs to be disabled. When not specified, all tenants are allowed. Redundant for single-tenant apps (regular ID token validation matches the issuer). |         |
 | `--entra-id-federated-token-auth` | `entra_id_federated_token_auth` | boolean | Enable oAuth2 client authentication with federated token projected by Entra Workload Identity plugin, instead of client secret.   | false |
 ## Configure App registration
 To begin, create an App registration, set a redirect URI, and generate a secret. All account types are supported, including single-tenant, multi-tenant, multi-tenant with Microsoft accounts, and Microsoft accounts only.
@ -115,6 +116,34 @@ insecure_oidc_skip_issuer_verification=true
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
 ### Workload Identity
 Provider supports authentication with federated token, without need of using client secret. Following conditions have to be met:
 * Cluster has public OIDC provider URL. For major cloud providers, it can be enabled with a single flag, for example for [Azure Kubernetes Service deployed with Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster), it's `oidc_issuer_enabled`.
 * Workload Identity admission webhook is deployed on the cluster. For AKS, it can be enabled with a flag (`workload_identity_enabled` in Terraform resource), for clusters outside of Azure, it can be installed from [helm chart](https://github.com/Azure/azure-workload-identity).
 * Appropriate federated credential is added to application registration.
 <details>
    <summary>See federated credential terraform example</summary>
 ```
    resource "azuread_application_federated_identity_credential" "fedcred" {
        application_id = azuread_application.application.id # ID of your application
        display_name   = "federation-cred"
        description    = "Workload identity for oauth2-proxy"
        audiences      = ["api://AzureADTokenExchange"] # Fixed value
        issuer         = "https://cluster-oidc-issuer-url..."
        subject        = "system:serviceaccount:oauth2-proxy-namespace-name:oauth2-proxy-sa-name" # set proper NS and SA name
    }
 ```
 </details>
 * Kubernetes service account associated with oauth2-proxy deployment, is annotated with `azure.workload.identity/client-id: <app-registration-client-id>`
 * oauth2-proxy pod is labeled with `azure.workload.identity/use: "true"`
 * oauth2-proxy is configured with `entra_id_federated_token_auth` set to `true`.
 `client_secret` setting can be omitted when using federated token authentication.
 See: [Azure Workload Identity documentation](https://azure.github.io/azure-workload-identity/docs/).
 ### Example configurations
 Single-tenant app without groups (*groups claim* not enabled). Consider using generic OIDC provider:
 ```toml
@ -145,6 +174,16 @@ scope="openid User.Read"
 allowed_groups=["968b4844-d5e7-4e18-a834-59927959369f"]
 ```
 Single-tenant app with more than 200 groups and workload identity enabled:
 ```toml
 provider="entra-id"
 oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
 client_id="<client-id>"
 scope="openid User.Read"
 allowed_groups=["968b4844-d5e7-4e18-a834-59927959369f"]
 entra_id_federated_token_auth=true
 ```
 Multi-tenant app with Microsoft personal accounts & one Entra tenant allowed, with group overage considered:
 ```toml
 provider="entra-id"
--- a/pkg/apis/options/legacy_options.go
+++ b/pkg/apis/options/legacy_options.go
@ -489,6 +489,7 @@ type LegacyProvider struct {
 	AzureTenant                            string   `flag:"azure-tenant" cfg:"azure_tenant"`
 	AzureGraphGroupField                   string   `flag:"azure-graph-group-field" cfg:"azure_graph_group_field"`
 	EntraIDAllowedTenants                  []string `flag:"entra-id-allowed-tenant" cfg:"entra_id_allowed_tenants"`
 	EntraIDFederatedTokenAuth              bool     `flag:"entra-id-federated-token-auth" cfg:"entra_id_federated_token_auth"`
 	BitbucketTeam                          string   `flag:"bitbucket-team" cfg:"bitbucket_team"`
 	BitbucketRepository                    string   `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
 	GitHubOrg                              string   `flag:"github-org" cfg:"github_org"`
@ -552,6 +553,7 @@ func legacyProviderFlagSet() *pflag.FlagSet {
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("azure-graph-group-field", "", "configures the group field to be used when building the groups list(`id` or `displayName`. Default is `id`) from Microsoft Graph(available only for v2.0 oidc url). Based on this value, the `allowed-group` config values should be adjusted accordingly. If using `id` as group field, `allowed-group` should contains groups IDs, if using `displayName` as group field, `allowed-group` should contains groups name")
 	flagSet.StringSlice("entra-id-allowed-tenant", []string{}, "list of tenants allowed for MS Entra ID multi-tenant application")
 	flagSet.Bool("entra-id-federated-token-auth", false, "enable oAuth client authentication with federated token projected by Azure Workload Identity plugin, instead of client secret.")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
@ -760,7 +762,8 @@ func (l *LegacyProvider) convert() (Providers, error) {
 		}
 	case "entra-id":
 		provider.MicrosoftEntraIDConfig = MicrosoftEntraIDOptions{
-			AllowedTenants: l.EntraIDAllowedTenants,
+			AllowedTenants:     l.EntraIDAllowedTenants,
 			FederatedTokenAuth: l.EntraIDFederatedTokenAuth,
 		}
 	}
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -166,6 +166,10 @@ type MicrosoftEntraIDOptions struct {
 	// When not specified, all tenants are allowed. Redundant for single-tenant apps
 	// (regular ID token validation matches the issuer).
 	AllowedTenants []string `json:"allowedTenants,omitempty"`
 	// FederatedTokenAuth enable oAuth2 client authentication with federated token projected
 	// by Entra Workload Identity plugin, instead of client secret.
 	FederatedTokenAuth bool `json:"federatedTokenAuth,omitempty"`
 }
 type ADFSOptions struct {
--- a/pkg/validation/providers.go
+++ b/pkg/validation/providers.go
@ -46,20 +46,47 @@ func validateProvider(provider options.Provider, providerIDs map[string]struct{}
 		msgs = append(msgs, "provider missing setting: client-id")
 	}
-	// login.gov uses a signed JWT to authenticate, not a client-secret
+	if providerRequiresClientSecret(provider) {
-	if provider.Type != "login.gov" {
+		msgs = append(msgs, validateClientSecret(provider)...)
 		if provider.ClientSecret == "" && provider.ClientSecretFile == "" {
 			msgs = append(msgs, "missing setting: client-secret or client-secret-file")
 		}
 		if provider.ClientSecret == "" && provider.ClientSecretFile != "" {
 			_, err := os.ReadFile(provider.ClientSecretFile)
 			if err != nil {
 				msgs = append(msgs, "could not read client secret file: "+provider.ClientSecretFile)
 			}
 		}
 	}
-	msgs = append(msgs, validateGoogleConfig(provider)...)
+	if provider.Type == "google" {
 		msgs = append(msgs, validateGoogleConfig(provider)...)
 	}
 	if provider.Type == "entra-id" {
 		msgs = append(msgs, validateEntraConfig(provider)...)
 	}
 	return msgs
 }
 // providerRequiresClientSecret checks if provider requires client secret to be set
 // or it can be omitted in favor of JWT token to authenticate oAuth client
 func providerRequiresClientSecret(provider options.Provider) bool {
 	if provider.Type == "entra-id" && provider.MicrosoftEntraIDConfig.FederatedTokenAuth {
 		return false
 	}
 	if provider.Type == "login.gov" {
 		return false
 	}
 	return true
 }
 func validateClientSecret(provider options.Provider) []string {
 	msgs := []string{}
 	if provider.ClientSecret == "" && provider.ClientSecretFile == "" {
 		msgs = append(msgs, "missing setting: client-secret or client-secret-file")
 	}
 	if provider.ClientSecret == "" && provider.ClientSecretFile != "" {
 		_, err := os.ReadFile(provider.ClientSecretFile)
 		if err != nil {
 			msgs = append(msgs, "could not read client secret file: "+provider.ClientSecretFile)
 		}
 	}
 	return msgs
 }
@ -96,3 +123,23 @@ func validateGoogleConfig(provider options.Provider) []string {
 	return msgs
 }
 func validateEntraConfig(provider options.Provider) []string {
 	msgs := []string{}
 	if provider.MicrosoftEntraIDConfig.FederatedTokenAuth {
 		federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
 		if federatedTokenPath == "" {
 			msgs = append(msgs, "entra federated token authentication is enabled, but AZURE_FEDERATED_TOKEN_FILE variable is not set, check your workload identity configuration.")
 			return msgs
 		}
 		_, err := os.ReadFile(federatedTokenPath)
 		if err != nil {
 			msgs = append(msgs, "could not read entra federated token file")
 		}
 	}
 	return msgs
 }
--- a/providers/ms_entra_id.go
+++ b/providers/ms_entra_id.go
@ -1,9 +1,12 @@
 package providers
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/url"
 	"os"
 	"regexp"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
@ -12,12 +15,14 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
 	"github.com/spf13/cast"
 	"golang.org/x/oauth2"
 )
 // MicrosoftEntraIDProvider represents provider for Azure Entra Authentication V2 endpoint
 type MicrosoftEntraIDProvider struct {
 	*OIDCProvider
 	multiTenantAllowedTenants []string
 	federatedTokenAuth        bool
 	microsoftGraphURL *url.URL
 }
@ -44,6 +49,7 @@ func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *Micros
 		OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
 		multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedTenants,
 		federatedTokenAuth:        opts.MicrosoftEntraIDConfig.FederatedTokenAuth,
 		microsoftGraphURL:         microsoftGraphURL,
 	}
 }
@ -89,6 +95,61 @@ func (p *MicrosoftEntraIDProvider) ValidateSession(ctx context.Context, session
 	return p.OIDCProvider.ValidateSession(ctx, session)
 }
 // Redeem exchanges the OAuth2 authentication token for an ID token, considering federated token authentication
 func (p *MicrosoftEntraIDProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error) {
 	if p.federatedTokenAuth {
 		return p.redeemWithFederatedToken(ctx, redirectURL, code, codeVerifier)
 	}
 	return p.OIDCProvider.Redeem(ctx, redirectURL, code, codeVerifier)
 }
 // redeemWithFederatedToken performs custom token exchange with federated token instead of client secret
 func (p *MicrosoftEntraIDProvider) redeemWithFederatedToken(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error) {
 	federatedTokenPath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
 	federatedToken, err := os.ReadFile(federatedTokenPath)
 	if err != nil {
 		return nil, fmt.Errorf("error reading federated token file %s: %s", federatedTokenPath, err)
 	}
 	params := url.Values{}
 	// create custom exchange parameters
 	if codeVerifier != "" {
 		params.Add("code_verifier", codeVerifier)
 	}
 	params.Add("redirect_uri", redirectURL)
 	params.Add("client_id", p.ClientID)
 	params.Add("client_assertion", string(federatedToken))
 	params.Add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
 	params.Add("code", code)
 	params.Add("grant_type", "authorization_code")
 	// perform exchange
 	resp := requests.New(p.RedeemURL.String()).
 		WithContext(ctx).
 		WithMethod("POST").
 		WithBody(bytes.NewBufferString(params.Encode())).
 		SetHeader("Content-Type", "application/x-www-form-urlencoded").
 		Do()
 	// prepare token of type *oauth2.Token
 	var token *oauth2.Token
 	var rawResponse interface{}
 	body := resp.Body()
 	if err := json.Unmarshal(body, &rawResponse); err != nil {
 		return nil, err
 	}
 	if err := json.Unmarshal(body, &token); err != nil {
 		return nil, err
 	}
 	// create session using new token and generic OIDC provider
 	return p.OIDCProvider.createSession(ctx, token.WithExtra(rawResponse), false)
 }
 // checkGroupOverage checks ID token's group membership claims for the group overage
 func (p *MicrosoftEntraIDProvider) checkGroupOverage(session *sessions.SessionState) (bool, error) {
 	extractor, err := p.getClaimExtractor(session.IDToken, session.AccessToken)