Azure Active Directory group claims combine unexpectedly in OpenShift 4

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Azure Red Hat OpenShift (ARO)
    • 4
  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • Azure Active Directory (AAD) configured as an OpenID Connect (OIDC)

Issue

  • What is the correct endpoint to configure Azure Active Directory as an OIDC in OpenShift 4?
  • Adding users using AAD configured as an OIDC create malformed group entries in OCP 4.
  • When configuring AAD with the OpenID Connect group claim attribute in the OAuth CustomResourceDefinition (CRD) all groups provided by the claim are unexpectedly combined together, instead of being added to multiple individual groups. This issue creates groups that appear like this:

    kind: Group
    apiVersion: user.openshift.io/v1
    metadata:
      name: >-
        ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy","zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"]
      uid: b3ed0b40-ffd3-5r0c-fcas-3b780aa40b3f
      resourceVersion: '1234'
      creationTimestamp: '2022-07-27T18:20:48Z'
      annotations:
        oauth.openshift.io/generated: 'true'
        oauth.openshift.io/idp.AAD: synced   
    users:
      - example@example.com
    

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Ensure that the issuer URL specified in the OAuth CustomResourceDefinition (CRD) for the openID field is set to the Azure Active Directory v2.0 endpoint. The v2.0 endpoint format is:

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0

Where xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is the Azure Active Directory application's tenant ID.

Root Cause

The Azure Active Directory v1.0 endpoint concatenates groups together in the response provided to OpenShift. The Azure Active Directory v2.0 endpoint does not do this.

Diagnostic Steps

Check the issuer URL specified in the OAuth:

$ oc get oauth cluster -o yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  [...]
    openID:
    [...]
      issuer: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0
    [...]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments