Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft connector - support for using signed assertions from managed identity instead of client secrets #3852

Open
2 tasks done
ItalyPaleAle opened this issue Nov 20, 2024 · 0 comments · May be fixed by #3874
Open
2 tasks done

Comments

@ItalyPaleAle
Copy link

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Using Dex with the Microsoft connector with an Entra ID (Azure AD) app requires setting a client secret in the configuration. Applications are generally discouraged to work with pre-shared keys (like client secrets) whenever possible, as they can pose a security risk.

Apps that are running in Azure, or in environments that can be federated with Entra (e.g. Workload Identity Federation, that works on Kubernetes clusters hosted anywhere, as well as a bunch of other places including Google Cloud, AWS, etc), can leverage managed identity / workload identity to perform a token exchange instead of requiring pre-shared credentials.

Proposed Solution

Support for obtaining a token from Entra ID using signed assertions.

When invoking the /token endpoint to exchange an authorization code for an access token, it should be possible to use a signed assertion instead of a client secret. The assertion can come from a certificate, or can come from a token issued by Managed Identity / Workload Identity.

Alternatives Considered

No response

Additional Information

This feature request would greatly improve the security of environments that use Dex, as they would be able to run without any pre-shared credentials, which are susceptible to being leaked.

ItalyPaleAle added a commit to ItalyPaleAle/dex that referenced this issue Dec 5, 2024
Fixes dexidp#3852

Maintaining shared secrets in the application's configuration is not good, and should be avoided as possible. This includes the client secret used by the Microsoft connector to exchange authorization codes for access tokens using Entra ID (fka Azure AD).

It is possible to avoid using secrets by leveraging a [signed assertion](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-certificate-credential), which comes from managed identity (when the app is running on Azure) or [Workload Identity](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation) (when the app is running on a supported platform, including K8s anywhere).

This is configured with a new configuration key `federatedIdentity` which can have 3 values (all case-insensitive):

- `ManagedIdentity` -> Uses a system-assigned managed identity
- `ManagedIdentity=00000000-0000-0000-0000-000000000000` -> Uses a user-assigned managed identity, where the value is the client ID of the MI
- `WorkloadIdentity` -> uses Workload Identity

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant