Skip to content

[Bug]: ms-entra and workload identity doesn't use federated credentials when refreshing token #3028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Richard87 opened this issue Apr 11, 2025 · 1 comment · Fixed by #3031
Closed

[Bug]: ms-entra and workload identity doesn't use federated credentials when refreshing token #3028

Richard87 opened this issue Apr 11, 2025 · 1 comment · Fixed by #3031
Labels
bug help wanted

Comments

@Richard87
Copy link
Contributor

OAuth2-Proxy Version

7.8.2

Provider

entra-id

Expected Behaviour

Transparent refreshing AccessToken when needed

Current Behaviour

When running with Entra ID and Workload Identity refreshing/reedeming the refresh token doesn't work and fails:

[2025/04/11 13:36:16] [stored_session.go:193] Unable to refresh session: 
error refreshing tokens: unable to redeem refresh token: failed to get token: oauth2: "invalid_client""AADSTS7000218: 
The request body must contain the following parameter: 'client_assertion' or 'client_secret'. 

Trace ID: 60110e49-47d5-46a6-bf85-a4249f3a0000 
Correlation ID: fb527aa9-8f1d-48e5-a1e8-3daeb1e63835
 Timestamp: 2025-04-11 11:36:03Z"
 "https://login.microsoftonline.com/error?code=7000218"

Steps To Reproduce

Run oauth2-proxy with --cookie-refresh=120s and

AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=<AZURE-CLIENT-ID>
AZURE_FEDERATED_TOKEN_FILE=<SOME TOKEN FILENAME>
AZURE_TENANT_ID=<AZURE-TENANT=ID>

OAUTH2_PROXY_PROVIDER=entra-id
OAUTH2_PROXY_CLIENT_ID=<AZURE-CLIENT-ID>
OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0
OAUTH2_PROXY_ENTRA_ID_FEDERATED_TOKEN_AUTH=true

OAUTH2_PROXY_COOKIE_EXPIRE=168h0m0s
OAUTH2_PROXY_COOKIE_HTTPONLY=true
OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
OAUTH2_PROXY_COOKIE_REFRESH=60m0s
OAUTH2_PROXY_COOKIE_SAMESITE=lax
OAUTH2_PROXY_COOKIE_SECRET=abcd1234abcd1234
OAUTH2_PROXY_COOKIE_SECURE=true

OAUTH2_PROXY_EMAIL_DOMAINS='*'
OAUTH2_PROXY_HTTP_ADDRESS=http://:4180
OAUTH2_PROXY_INSECURE_OIDC_SKIP_NONCE=false
OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_PASS_BASIC_AUTH=false
OAUTH2_PROXY_PROXY_PREFIX=/oauth2
OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://127.0.0.1:6379
OAUTH2_PROXY_REDIS_PASSWORD=
OAUTH2_PROXY_SCOPE=openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email
OAUTH2_PROXY_SESSION_STORE_TYPE=redis
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL=true
OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=false
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true

Possible Solutions

Either upgrade OIDC to possibly get client assertion from ms-entra, or upgrade OIDC with support for any client assertion tool, so private_key_jwt or Federated Credentials with client assertion. (ref., #2909)

Replace OIDCProvider.GetClientSecret() string with a OIDCProvider.AuthenticateClient(oauth2.Config) oauth2.Config method

I would like to propose and make a initial bugfix to make workload identity work (I don't want to recreate our client secrets and maintenance scripts that I deleted :D), and look at the RFC above for a better long-term solution

Configuration details or additional information

Se #1979 for the initial implementation
@Richard87
Copy link
Contributor Author

Richard87 commented Apr 11, 2025
edited
Loading

This would be a Quickfix until Go resolves this golang/oauth2#745 / golang/oauth2#744

This was referenced Apr 14, 2025
Merged
Closed
@chris-sanders chris-sanders mentioned this issue Apr 24, 2025
Open
1 task
@kevindurb kevindurb mentioned this issue Apr 25, 2025
Open
1 task
@soerenschneider soerenschneider mentioned this issue Apr 24, 2025
Open
1 task
@AurimasNav AurimasNav mentioned this issue Apr 25, 2025
Open
1 task
@renovate renovate bot mentioned this issue Apr 27, 2025
Open
1 task
@kevindurb kevindurb mentioned this issue Apr 28, 2025
Open
1 task
This was referenced Apr 28, 2025
Merged
Merged
@dependabot dependabot bot mentioned this issue Apr 28, 2025
Merged
This was referenced Apr 28, 2025
Open
Open
Open
Merged
Open
Merged
Merged
Merged
@dependabot dependabot bot mentioned this issue Apr 29, 2025
Closed
@renovate renovate bot mentioned this issue Apr 29, 2025
Merged
1 task
@bot-goyangi bot-goyangi bot mentioned this issue Apr 30, 2025
Closed
1 task
nilsgstrabo added a commit to equinor/radix-flux that referenced this issue May 2, 2025
@nilsgstrabo
update oauth2-proxy to v7.9.0 to fix bug with refresh token when usin…
235123f 
…g entra ID and workload identity

v7.9.0 fixes Refresh Token bug with Entra ID and Workload Identity, ref oauth2-proxy/oauth2-proxy#3028
@nilsgstrabo nilsgstrabo mentioned this issue May 2, 2025
Merged
Richard87 pushed a commit to equinor/radix-flux that referenced this issue May 2, 2025
@nilsgstrabo
update oauth2-proxy to v7.9.0 to fix bug with refresh token when usin…
32e8346 
…g entra ID and workload identity (#2749)

v7.9.0 fixes Refresh Token bug with Entra ID and Workload Identity, ref oauth2-proxy/oauth2-proxy#3028
@renovate renovate bot mentioned this issue May 3, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
1 participant
@Richard87