Unclear documentation for configuring multiple redirect URIs in Azure AD authentication

[qdrop17]

Summary

The process of configuring multiple redirect URIs for Azure AD-enabled authentication is not well documented. The relevant documentation can be found at:

• https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad#optional-configure-authentication-with-multiple-rancher-domains

• rancher-docs/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md

  Line 230 in a4be67a

  If you have multiple Rancher domains, it's not possible to configure multiple redirect URIs through the Rancher UI. The Azure AD configuration file, `azuread`, only allows one redirect URI by default. You must manually edit `azuread` to set the redirect URI as needed for any other domains. If you don't manually edit `azuread`, then upon a successful login attempt to any domain, Rancher automatically redirects the user to the **Redirect URI** value you set when you registered the app in [Step 1. Register Rancher with Azure](#1-register-rancher-with-azure).

While the file provided contains the necessary information, it is presented as a key-value pair rather than a list. As a result, we are unsure how to configure an additional redirect URI for our external exposure.

kubectl get authconfigs.management.cattle.io azuread -o yaml
accessMode: unrestricted
apiVersion: management.cattle.io/v3
applicationId: xxx
applicationSecret: cattle-global-data:azureadconfig-applicationsecret
authEndpoint: https://login.microsoftonline.com/xxx/oauth2/v2.0/authorize
enabled: true
endpoint: https://login.microsoftonline.com/
graphEndpoint: https://graph.microsoft.com
kind: AuthConfig
metadata:
  annotations:
    auth.cattle.io/azuread-endpoint-migrated: "true"
    management.cattle.io/auth-provider-cleanup: unlocked
  creationTimestamp: "2023-11-21T08:27:18Z"
  generation: 4
  labels:
    cattle.io/creator: norman
  name: azuread
  resourceVersion: "7988248"
  uid: xxx
rancherUrl: https://xxx/verify-auth-azure
status:
  conditions:
  - status: "True"
    type: SecretsMigrated
tenantId: xxx
tokenEndpoint: https://login.microsoftonline.com/xxx/oauth2/v2.0/token
type: azureADConfig

It would be great to clarify how this can be done properly.

Related Issues

rancher/rancher#23671

[martyav]

@qdrop17 unfortunately, the mapping here is one to one, and can't accept a list of values. The one thing docs team can do here is clear up the wording to make that more evident.

[qdrop17]

@qdrop17 unfortunately, the mapping here is one to one, and can't accept a list of values. The one thing docs team can do here is clear up the wording to make that more evident.

Okay, got it. Do you mind mentioning someone from the development team to clarify this feature? To us, it's unclear if Rancher supports multiple redirect URIs or not. We would greatly appreciate this capability.

[martyav]

@JonCrowther or @samjustus could you address?

To us, it's unclear if Rancher supports multiple redirect URIs or not. We would greatly appreciate this capability.

[JonCrowther]

That's correct. You can modify the 1 listed domain manually, but never have more than one at the same time. As far as supporting multiple, it is on our radar, but hasn't been prioritized yet. If you'd like to leave a comment on rancher/rancher#23671, that would help bring attention to the feature.