Integration directly with AzureAd for authentication

[aupadh12]

Hi Team,

I am trying to implement SSO using AzureAD.
When I am using Dex, it is asking for Directory.ReadAll permission which is not allowed in our organization.

So, I would like to understand if there is a way to skip DEX and directly use OIDC with clientID and client secret and configure the SSO.
This should essentially be similar to how it is done for argocd. We have directly implement OIDC with azureAd and skipped Dex for argocd.

My kargo-api configmap looks like below which uses Dex:

Source: kargo/templates/api/configmap.yaml

--- apiVersion: v1 kind: ConfigMap metadata: name: kargo-api namespace: kargo labels: helm.sh/chart: kargo-1.0.3 app.kubernetes.io/name: kargo app.kubernetes.io/instance: kargo app.kubernetes.io/version: "v1.0.3" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: api data: KARGO_NAMESPACE: kargo LOG_LEVEL: "DEBUG" TLS_ENABLED: "true" TLS_CERT_PATH: /etc/kargo/tls.crt TLS_KEY_PATH: /etc/kargo/tls.key SECRET_MANAGEMENT_ENABLED: "true" PERMISSIVE_CORS_POLICY_ENABLED: "true" ADMIN_ACCOUNT_ENABLED: "true" ADMIN_ACCOUNT_TOKEN_ISSUER: https://kargo-master-age.abc.com ADMIN_ACCOUNT_TOKEN_AUDIENCE: "kargo-master-age.abc.com" ADMIN_ACCOUNT_TOKEN_TTL: "24h" OIDC_ENABLED: "true" OIDC_ADDITIONAL_SCOPES: groups GLOBAL_SERVICE_ACCOUNT_NAMESPACES: kargo GLOBAL_SERVICE_ACCOUNT: kargo-admin OIDC_ISSUER_URL: https://login.microsoftonline.com/3ac94b33-1234-5674-9502-hfiefewviuvbwiuy4wg35/v2.0 OIDC_CLIENT_ID: kargo-master-age.abc.com OIDC_CLI_CLIENT_ID: kargo-master-age.abc.com-cli DEX_ENABLED: "true" DEX_SERVER_ADDRESS: https://kargo-dex-server.kargo.svc #DEX_SERVER_ADDRESS: https://login.microsoftonline.com/3ac94b33-1234-5674-9502-hfiefewviuvbwiuy4wg35/v2.0 DEX_CA_CERT_PATH: /etc/kargo/idp-ca.crt ARGOCD_NAMESPACE: argocd ARGOCD_URLS: =https://argocd-masterage.abc.com ROLLOUTS_INTEGRATION_ENABLED: "true" ---

Below is my secret configured for Dex:

`

Source: kargo/templates/dex-server/secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: kargo-dex-server
namespace: kargo
labels:
helm.sh/chart: kargo-1.0.3
app.kubernetes.io/name: kargo
app.kubernetes.io/instance: kargo
app.kubernetes.io/version: "v1.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: dex-server
stringData:
config.yaml: |-
issuer: https://login.microsoftonline.com/3ac94b33-1234-5674-9502-hfiefewviuvbwiuy4wg35/v2.0

storage:
  type: memory

web:
  https: 0.0.0.0:5556
  tlsCert: /etc/dex/tls.crt
  tlsKey: /etc/dex/tls.key
telemetry:
  http: 0.0.0.0:5558

oauth2:
  skipApprovalScreen: true

staticClients:
- id: "kargo-master-age.abc.com"
  name: Kargo
  public: true
  redirectURIs:
  - https://kargo-master-age.abc.com/callback
- id: kargo-master-age.abc.com-cli
  name: Kargo CLI
  public: true

connectors:
- config:
    clientID: 1b4a3744-yhyh-4e3d-4563gd-eiodgu23417856bfrvwu
    clientSecret: $CLIENT_SECRET
    redirectURI: https://kargo-master-age.abc.com/api/dex/callback
    tenant: 3ac94b33-1234-5674-9502-hfiefewviuvbwiuy4wg35
    scopes:
    - openid
    - email
    - profile
  id: oidc
  name: oidc
  type: oidc`

Is there any solution to this? I am not able to move ahead and have been forced in using admin user.

[krancour]

So, I would like to understand if there is a way to skip DEX and directly use OIDC with clientID and client secret and configure the SSO.
This should essentially be similar to how it is done for argocd. We have directly implement OIDC with azureAd and skipped Dex for argocd.

Argo CD, historically, has used its API server as a middle-man between the UI and the IDP, which allowed the client secret to remain secret, as it is insecure to distribute the client secret to the UI.

More recently, it gained the ability (optional, afaik) to use the authorization code flow with PKCE, which is a more modern approach for SPAs or other clients that cannot secure the client secret. This configuration doesn't involve any client secret at all.

Kargo has used PKCE from the beginning. This does limit it to working directly with IDPs that support it. In all other cases, Dex, which does fully support it, needs to be used as an adapter.

In the case of Entra ID (formerly Azure AD), PKCE is directly supported.

You should easily find the options in the Kargo chart's values.yaml file for configuring OIDC without Dex and as for the Entra ID side of things, you should follow their own documentation for registering a SPA application to use the authorization code flow with PKCE.

[krancour]

@aupadh12 just following up to see if this worked out for you.

[aupadh12]

Hi @krancour , I tried setting up pkce but was not successful due to possible some internal restrictions. But I was able to get Dex working without requiring additional permissions.
Here is how the config looks like now:

`config.yaml: |-
issuer: https://kargo-master.abc.com/dex

storage:
  type: memory

web:
  https: 0.0.0.0:5556
  tlsCert: /etc/dex/tls.crt
  tlsKey: /etc/dex/tls.key
telemetry:
  http: 0.0.0.0:5558

oauth2:
  skipApprovalScreen: true

staticClients:
- id: "kargo-master.abc.com"
  name: Kargo
  public: true
  redirectURIs:
  - https://kargo-master.abc.com/login
- id: kargo-master.abc.com-cli
  name: Kargo CLI
  public: true

connectors:
- config:
    clientID: 12khuhru-caca-4hjf6j-987jb-8e66anjqwebn
    clientSecret: $CLIENT_SECRET
    issuer: https://login.microsoftonline.com/lkjenovenon-ijriwn-ijosegjn-2837tbbfrv/v2.0
    redirectURI: https://kargo-master-age.jnj.com/dex/callback
    tenant: lkjenovenon-ijriwn-ijosegjn-2837tbbfrv
    tokenURL: https://login.microsoftonline.com/lkjenovenon-ijriwn-ijosegjn-2837tbbfrv/oauth2/v2.0/token
    authorizationURL: https://login.microsoftonline.com/lkjenovenon-ijriwn-ijosegjn-2837tbbfrv/oauth2/v2.0/authorize
    #userInfoURL: https://login.microsoftonline.com/lkjenovenon-ijriwn-ijosegjn-2837tbbfrv/v2.0/.well-known/openid-configuration
    domainHint: abc.com
    insecureSkipEmailVerified: true
    emailToLowercase: true
    scopes:
    - openid
    - email
    - profile
    groups:
    - kargo-admin
  id: azuread
  name: azuread
  type: oidc`

But now when I login as a user using SSO, I getting an error which says : projects.kargo.akuity.io is forbidden: list is not permitted
I am still trying to figure what I need to do next to fix this one.

[krancour]

groups:
- kargo-admin

Doesn't look like valid configuration for the OIDC connector.

What were you trying to accomplish with that?

[aupadh12]

I changed it to a valid configuration as the dex document but still I am getting that error: projects.kargo.akuity.io is forbidden: list is not permitted

I am trying to create a group called kargo-admin so that all the users who are part of that group will be able to promote changes by configuring stages.
This way I am planning to setup an efficient way of deploying things from development repo to production repo.

[krancour]

To the best of my knowledge group claims from Entra/AD are object IDs. kargo-admin does not look valid.