Skip to content

[Bug]: ms-entra and workload identity doesn't use federated credentials when refreshing token #3028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Richard87 opened this issue Apr 11, 2025 · 1 comment · Fixed by #3031
Closed

[Bug]: ms-entra and workload identity doesn't use federated credentials when refreshing token #3028

Richard87 opened this issue Apr 11, 2025 · 1 comment · Fixed by #3031
Labels
bug help wanted

Comments

@Richard87
Copy link
Contributor

OAuth2-Proxy Version

7.8.2

Provider

entra-id

Expected Behaviour

Transparent refreshing AccessToken when needed

Current Behaviour

When running with Entra ID and Workload Identity refreshing/reedeming the refresh token doesn't work and fails:

[2025/04/11 13:36:16] [stored_session.go:193] Unable to refresh session: 
error refreshing tokens: unable to redeem refresh token: failed to get token: oauth2: "invalid_client""AADSTS7000218: 
The request body must contain the following parameter: 'client_assertion' or 'client_secret'. 

Trace ID: 60110e49-47d5-46a6-bf85-a4249f3a0000 
Correlation ID: fb527aa9-8f1d-48e5-a1e8-3daeb1e63835
 Timestamp: 2025-04-11 11:36:03Z"
 "https://login.microsoftonline.com/error?code=7000218"

Steps To Reproduce

Run oauth2-proxy with --cookie-refresh=120s and

AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=<AZURE-CLIENT-ID>
AZURE_FEDERATED_TOKEN_FILE=<SOME TOKEN FILENAME>
AZURE_TENANT_ID=<AZURE-TENANT=ID>

OAUTH2_PROXY_PROVIDER=entra-id
OAUTH2_PROXY_CLIENT_ID=<AZURE-CLIENT-ID>
OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0
OAUTH2_PROXY_ENTRA_ID_FEDERATED_TOKEN_AUTH=true

OAUTH2_PROXY_COOKIE_EXPIRE=168h0m0s
OAUTH2_PROXY_COOKIE_HTTPONLY=true
OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
OAUTH2_PROXY_COOKIE_REFRESH=60m0s
OAUTH2_PROXY_COOKIE_SAMESITE=lax
OAUTH2_PROXY_COOKIE_SECRET=abcd1234abcd1234
OAUTH2_PROXY_COOKIE_SECURE=true

OAUTH2_PROXY_EMAIL_DOMAINS='*'
OAUTH2_PROXY_HTTP_ADDRESS=http://:4180
OAUTH2_PROXY_INSECURE_OIDC_SKIP_NONCE=false
OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_PASS_BASIC_AUTH=false
OAUTH2_PROXY_PROXY_PREFIX=/oauth2
OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://127.0.0.1:6379
OAUTH2_PROXY_REDIS_PASSWORD=
OAUTH2_PROXY_SCOPE=openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email
OAUTH2_PROXY_SESSION_STORE_TYPE=redis
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL=true
OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=false
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true

Possible Solutions

Either upgrade OIDC to possibly get client assertion from ms-entra, or upgrade OIDC with support for any client assertion tool, so private_key_jwt or Federated Credentials with client assertion. (ref., #2909)

Replace OIDCProvider.GetClientSecret() string with a OIDCProvider.AuthenticateClient(oauth2.Config) oauth2.Config method

I would like to propose and make a initial bugfix to make workload identity work (I don't want to recreate our client secrets and maintenance scripts that I deleted :D), and look at the RFC above for a better long-term solution

Configuration details or additional information

Se #1979 for the initial implementation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
1 participant
@Richard87