Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix idtyp issue with GetMemberGroupsUsingARCOboService #392

Merged
merged 5 commits into from
Jun 12, 2024
Merged

Fix idtyp issue with GetMemberGroupsUsingARCOboService #392

merged 5 commits into from
Jun 12, 2024

Conversation

vineeth-thumma
Copy link
Contributor

@vineeth-thumma vineeth-thumma commented Jun 11, 2024
edited
Loading

  • During testing authentication flow in Guard for a user token (with overage claims), noticed that it is treated as SPN/Application and failed the authentication

  • Looks like Microsoft identity platform has changed the format for user tokens and is now setting optional "idtyp" claim. This needs a change in Guard on how we evaluate if the token corresponds to an AAD User or an Application (SPN)

For more context,
"idtyp" claim is used to get the type of token (app, user, device). By default, it's only emitted for app-only tokens (which seems to have changed now)
Like all optional claims that affect the access token, the resource in the request must set this optional claim, since resources own the access token
https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference#additionalproperties-of-optional-claims

@vineeth-thumma vineeth-thumma requested a review from a team as a code owner June 11, 2024 14:29
weinong
weinong previously approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@weinong weinong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vineeth-thumma and others added 5 commits June 11, 2024 15:42
@vineeth-thumma
fix idtyp issue
3667709 
Signed-off-by: vithumma_microsoft <Vineeth.Thumma@microsoft.com>
@vineeth-thumma
UT for idtyp user
f33e3da 
Signed-off-by: vithumma_microsoft <Vineeth.Thumma@microsoft.com>
@vineeth-thumma
Update graph.go
c353868 
Signed-off-by: vithumma_microsoft <Vineeth.Thumma@microsoft.com>
@vineeth-thumma
Update graph.go
4251246 
Signed-off-by: vithumma_microsoft <Vineeth.Thumma@microsoft.com>
fmt
fcf4756 
Signed-off-by: vithumma_microsoft <Vineeth.Thumma@microsoft.com>
@tamalsaha tamalsaha added the automerge Kodiak will auto merge PRs that have this label label Jun 12, 2024
weinong
weinong approved these changes Jun 12, 2024
View reviewed changes
Copy link
Contributor

@weinong weinong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kodiakhq kodiakhq bot merged commit b1c6018 into kubeguard:master Jun 12, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amanohar amanohar amanohar approved these changes

@julienstroheker julienstroheker julienstroheker approved these changes

@weinong weinong weinong approved these changes

@bcho bcho bcho approved these changes

Assignees
No one assigned
Labels
automerge Kodiak will auto merge PRs that have this label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vineeth-thumma @bcho @weinong @julienstroheker @amanohar @tamalsaha