Configure AzureAD authentication

[alexashley]

This is a sample for configuring AzureAD with Rode.

Notes

• There are v1 and v2 endpoints in AzureAD, but also a v1 and v2 of the token format. The version of the token format doesn't correspond at all to the endpoint version -- with the default app registration setup you'll get a v1 token from the v2 endpoint. We require the v2 token format so that the aud claim is the Rode client id (with the v1 format the aud claim is the identifier uri). The token version can't be set through Terraform until the next major version of the provider is released.
• It seems like we have to define separate app registrations as defining a single client causes problems with getting the roles in the token. AzureAD strictly enforces that an access token is for a single API (or "resource") that is distinct from the client itself. So a client only gets its own app roles in the id token and not the access token. You can define the client app as its own required resource; however, that doesn't lend itself well to Terraform and seemed to break token refresh.
• We do have to define a scope for Rode and request it in the Rode UI call, even though it is a required resource. Without the scope, the access token will fallback to the MS Graph API (aud of 00000003-0000-0000-c000-000000000000).
• The implicit flow is still enabled, but it will only grant id tokens. This is another limitation in the provider that should be fixed in the next major release.
• Role values cannot contain spaces, so I had to update those in Rode: Changes for Azure AD integration rode#134
• The Azure AD api seems to be eventually consistent, several times I would make a change that wasn't reflected until after some time passed.
• The client credentials flow is strange. You create a service principal, assign it a role using the "API permissions" section in the app registration, and then request a scope of ${RODE_CLIENT_ID}/.default (not the api://rode/rode scope). The response doesn't include a refresh token.

Manual Configuration

There a few manual steps outside of Terraform that don't seem possible to automate:

• add users (or groups) to the Rode and Rode UI enterprise applications
• assign users (or groups) app roles in the Rode enterprise application

App Configuration

Rode

To run Rode with AzureAD:

go run main.go \
  --grafeas-host=grafeas-server.rode-demo-grafeas.svc.cluster.local:8080 \
  --elasticsearch-host=http://elasticsearch-master.rode-demo-elasticsearch.svc.cluster.local:9200 \
  --debug \
  --opa-host=http://rode-opa.rode-demo.svc.cluster.local:8181 \
  --oidc-issuer=https://login.microsoftonline.com/${TENANT_ID}/v2.0 \
  --oidc-role-claim-path=roles

The value of --oidc-role-claim-path is the default and could be omitted, but it's here for completeness.

Rode UI

The important thing to note is the value of OIDC_SCOPE; it must include whatever scope was defined on the Rode app registration, or the app roles won't be in the token. It should also include the offline_access scope, otherwise the token set won't include a refresh token.

OIDC_CLIENT_ID=foo
OIDC_CLIENT_SECRET=bar
OIDC_ENABLED=true 
OIDC_SCOPE='openid profile email offline_access api://rode/rode'
OIDC_ISSUER_URL=https://login.microsoftonline.com/${TENANT_ID}/v2.0
APP_SECRET=baz