Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable custom Azure endpoints for Government Cloud Services customers #2459

Closed
wants to merge 3 commits into from
Closed

enable custom Azure endpoints for Government Cloud Services customers #2459

wants to merge 3 commits into from

Conversation

jlane67
Copy link

@jlane67 jlane67 commented Apr 1, 2022
edited
Loading

Overview

Stops hard-coding Azure endpoints as they are not universally accurate.

What this PR does / why we need it

Resolves #2457. Pure OIDC mode is unable to retrieve group membership data from Azure AD, meaning RBAC is impossible.

Special notes for your reviewer

Does this PR introduce a user-facing change?

yes

This change makes the Azure endpoints configurable.  For most users, the default 
https://login.microsoftonline.com/ and https://graph.microsoft.com/ values 
will remain the correct choice, but this allows users of Azure in special 
regions, such as Government Cloud Services for export-controlled workloads, 
to use the Microsoft connector to get group membership.

@sagikazarmark
Copy link
Member

@jlane67 thanks for the contribution!

On the surface, this seems to be a breaking change as the default values for those URLs are empty strings.

Do you know if the underlying library falls back to the right default values in this case? Can you also point to the code in the SDK?

Last, but not least: can you please update the documentation? https://github.com/dexidp/website/blob/main/content/docs/connectors/microsoft.md

@jlane67
Copy link
Author

jlane67 commented Apr 7, 2022

Hi, thank you for pointing that out. I have added another commit adding a fallback to the default values. I'm not super experienced at Go, but this is just something that came up in the course of deploying Dex. If the logical flow looks good I can add a PR to fix the documentation.

Jonathan Lane added 2 commits April 7, 2022 11:15
enable custom Azure endpoints for Government Cloud Services customers
b9914e2 
Signed-off-by: Jonathan Lane <jlane@astra.com>
add default values for ApiURL and GraphURL
8895078 
Signed-off-by: Jonathan Lane <jlane@astra.com>
@jlane67
Copy link
Author

jlane67 commented Apr 7, 2022

I have confirmed in a deployment on our infrastructure that the changes in this PR allow full authentication with Azure Government Cloud Services when using the .us endpoints.

@sleterrier
Copy link

sleterrier commented Aug 4, 2022
edited
Loading

@sagikazarmark: anything I could do to help get this PR merged? We are also interested in using Dex against non standard endpoints.

@dsetlock
Copy link

@sagikazarmark wanting to pick this thread back up. Trying to deploy Dex into Azure Government I hit this same blocker and came here to investigate but it seems a PR has been make the Azure endpoints more flexible for over a year.

@sagikazarmark
Copy link
Member

I'm looking at the code and....I'm a little bit confused. I don't think this code even compiles.

@sagikazarmark sagikazarmark mentioned this pull request Aug 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dex can not authenticate against USGovernment Azure via OIDC.
4 participants
@jlane67 @sagikazarmark @sleterrier @dsetlock