Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add openid scope to request for Microsoft Azure connector #1855

Open
mrandall-wish opened this issue Nov 5, 2020 · 2 comments · Fixed by open-ch/dex#1 · May be fixed by #2047 or #2877
Open

Add openid scope to request for Microsoft Azure connector #1855

mrandall-wish opened this issue Nov 5, 2020 · 2 comments · Fixed by open-ch/dex#1 · May be fixed by #2047 or #2877

Comments

@mrandall-wish
Copy link

We have a Conditional Access policy set up in Azure with a custom control for Duo MFA but it is not being applied to Dex authentications because the request is missing the openid scope.

Per Microsoft, the openid scope needs to be added to apply MFA at the application level rather than the resource level (Microsoft Graph).

Is there a way to add this scope to the request?

scopes currently returned:
user.read
directory.read.all

@schuhu
Copy link

schuhu commented Feb 25, 2021

I had the same issue and debug and solved it with Microsoft.

Basically needed is openid as the first scope, plus the following directly quoting the Microsoft engineer:

"Another thing that I noticed is that the scopes you are asking for, for the access token, are user.read and directory.read.all.
Without specifying the full appID URI of MS Graph (which is what I am assuming you want to access with the token based on the current consented permissions of the app)
our backend will evaluate these as scopes for the older AAD Graph API instead.
Can you also replace, just for testing purposes, the user.read and directory.read.all scopes with this single one https://graph.microsoft.com/.default
The .default will request all scopes that have been consented to by an admin in your tenant in a single take."

So for us, adding openid and replacing the other scopes with https://graph.microsoft.com/.default solved the mfa issue.

Unfortunately I'm off on holidays now, but will probably come up with a PR after.

@mrandall-wish
Copy link
Author

Thanks for the response, @schuhu.

I actually came to a similar conclusion with Microsoft Support but have been told by a colleague that the scopes that dex passes when using the Microsoft connector are hardcoded. Do you know if there is a way to pass/edit the scopes in the config without maintaining our own version of dex?

Look forward to the PR though, I will definitely pass it onto our dex team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment