OIDC Azure Integration fails

[tomhuang12]

Describe the bug

After setting up oidc-auth secret and restarting the deployment, the pod goes into CrashLoopBackOff state with error:

Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "[https://login.microsoftonline.com/{tenantid}/v2.0](https://login.microsoftonline.com/%7Btenantid%7D/v2.0)"

The Azure/Microsoft OIDC URL used is https://login.microsoftonline.com/organizations/v2.0. The resulting OIDC config returns "https://login.microsoftonline.com/{tenantid}/v2.0" from the Microsoft side which causes the failure.

Environment

• Weave-Gitops Version: v0.8.1
• Flux Version: v0.31
• Kubernetes version: v1.22.6

To Reproduce
Steps to reproduce the behavior:

Go through setting up OIDC using Azure's OIDC configuration. (I can provide detailed steps on the Azure side if needed.)

Expected behavior

OIDC should work with Azure/Microsoft OIDC.

Actual Behavior

OIDC auth fails to work.

Additional Context (screenshots, logs, etc)

2022-06-16T13:07:25.254Z    INFO    gitops    cmd/cmd.go:99    Version    {"version": "v0.0.0", "git-commit": "", "branch": "", "buildtime": ""}
I0616 13:07:26.306156       1 request.go:665] Waited for 1.026852261s due to client-side throttling, not priority and fairness, request: GET:https://172.16.0.1:443/apis/operators.coreos.com/v1alpha2?timeout=32s
Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "https://login.microsoftonline.com/{tenantid}/v2.0"
Usage:
   [flags[]
Flags:
      --dev-mode                                 Enables development mode
      --dev-user string                          Sets development User (default "wego-admin")
  -h, --help                                     help for this command
      --host string                              UI host (default "0.0.0.0")
      --insecure                                 do not attempt to read TLS certificates
      --log-level string                         log level (default "info")
      --mtls                                     disable enforce mTLS
      --notification-controller-address string   the address of the notification-controller running in the cluster
      --oidc-client-id string                    The client ID for the OpenID Connect client
      --oidc-client-secret string                The client secret to use with OpenID Connect issuer
      --oidc-issuer-url string                   The URL of the OpenID Connect issuer
      --oidc-redirect-url string                 The OAuth2 redirect URL
      --oidc-token-duration duration             The duration of the ID token. It should be set in the format: number + time unit (s,m,h) e.g., 20m (default 1h0m0s)
      --path string                              Path url
      --port string                              UI port (default "9001")
      --tls-cert-file string                     filename for the TLS certificate, in-memory generated if omitted
      --tls-private-key-file string              filename for the TLS key, in-memory generated if omitted
Error: could not create auth server: could not create provider: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/organizations/v2.0" got "https://login.microsoftonline.com/{tenantid}/v2.0"

[excelsi0r]

I am also trying to integrate Azure OIDC. I somehow followed the tutorial: https://docs.microsoft.com/en-us/power-apps/maker/portals/configure/configure-openid-settings.

I was able to properly setup the issuerURL by using the "issue" value provided in the JSON in the "well-known" endpoint.

After that, I created a secret for clientID and clientSecret.

Finally, I tested and I was able to get to the microsft Login page.

However, I hit another barrier. The gitops-server uses a custom unsupported scope "groups". And I get this error:

For that I will create another issue...

[tomhuang12]

@excelsi0r Yeah I encountered the similar issue but some other errors came up. I am using keycloak as a proxy currently and had to add "groups" to the scope. Dex is another option that can provide these scopes.

[excelsi0r]

I also believe that with custom Dex or a proxy it might be solved. But I don't intend to use them. Thank you anyway!

[LukaszRacon]

Duplicate: #2507

[ppodevlabs]

just in case anyone is interested, i made it work check #2507 (comment)

[LukaszRacon]

This one can be closed - see above solution or #2745 (comment)

[lasomethingsomething]

Changed to a docs issue, to ensure it's covered in the user guide