Social: Microsoft - Enable single-tenant app registrations by Exordian · Pull Request #11207 · keycloak/keycloak

Exordian · 2022-04-09T20:31:17Z

This change allows the usage of "single-tenant" App Registrations on Azure AD.

Microsoft distinguishes between single-tenant and multi-tenant app registrations.
Usually, enterprise companies would rather like to use so called "single-tenant" app registrations instead of multi-tenant app registrations [1], as they're limited to users in their tenant.
Since 2018, Microsoft disallowed the use of the global "/common/" endpoints for single-tenant applications [2]. The usual answer on the internet has been "use the generic oidc provider". While the generic OIDC provider works fine most of the cases, it doesn't work properly when using the "exchange-token" feature of keycloak.

The generic OIDC connector maps user identities to the OIDC subject field "sub" [3], which differs on the same account for every client on Microsoft [4] (OIDC spec refers to the 'pairwise' mode here [5]). However, the microsoft social connector stores the object id of the account in keycloak for federated users [6].

Therefore, while using the token-exchange feature from external to internal tokens, the different "sub" fields per client for the same account leads to mapping problems [7]. The token-exchange provider fails to find the respective user and tries to create a new user with the same mail address, which fails.

This patch allows to use the Microsoft social provider with single-tenant apps, which

makes it easier for admins to configure microsoft federation, if the only need a single-tenant to federate, as they have to configure way less properties compared to the generic OIDC adapter
resolves the token-exchange feature for Microsoft federated users

Related, if you think it's worth to discuss, we should open a seperate issue:
I'd argue that it would also be nice to customize the keycloak id of federated users on the generic oidc provider. Microsoft offers "oid" next to "sub" in their access tokens to get the object id of an Azure user.

[1] https://docs.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps
[2] https://keycloak.discourse.group/t/how-to-configure-microsoft-identity-provider-with-single-tenant/11741 https://lists.jboss.org/pipermail/keycloak-user/2019-February/017254.html
[3] https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L651
[4] https://stackoverflow.com/questions/52876679/the-sub-claim-value-is-different-between-access-and-id-tokens
[5] https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[6] https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java#L80
[7] https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L485

Exordian · 2022-04-09T20:32:51Z

Error message on single-tenant app registrations when used with the Microsoft Social provider:

AADSTS50194: Application 'XXX'(YYY) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

Exordian · 2022-05-03T20:26:06Z

cc @sguilhen ; i hope it's not rude to notify you and ask for a review. Thanks in advance!

I'd argue that the change is quite minimal and you have been the latest RedHatter who worked on the microsoft federation plugin. We'd be very glad if we could ditch our custom plugin again and use the upstream code again for the MS federation plugin

sguilhen · 2022-05-13T18:40:50Z

@Exordian no problem at all - I didn't reply earlier because I was on PTO until today. I'll try to take a look early next week.

Exordian · 2022-06-09T16:42:06Z

@sguilhen ping ;)

sguilhen · 2022-06-10T14:58:12Z

@@ -0,0 +1,25 @@
+package org.keycloak.social.microsoft;


Please add the copyright header to this new file

sguilhen

@Exordian Thanks for the PR! Overall it looks good to me (just missing copyright header), but since it touches the admin console as well I'm asking the UI team to check this too.

sguilhen · 2022-06-10T15:01:42Z

@ssilvert can you review the admin console changes here?

ssilvert · 2022-06-13T19:21:13Z

@sguilhen @Exordian I don't mind accepting these small changes, but we are trying to get away from changing the old admin console.

Furthermore, to accept these changes, I need to see equivalent changes in the new console at keycloak/keycloak-admin-ui.

pedroigor

LGTM, looking at the broker changes.

We also need to run social tests for this one.

pedroigor · 2022-06-14T13:44:24Z

@Exordian Could you please create an issue and link it here by changing your commit to reference it? Please, see other PRs to check how the commit message should look like.

pedroigor · 2022-06-14T13:45:30Z

Started keycloak-build-pipeline/757/.

pedroigor · 2022-06-14T21:15:52Z

Running build #759.

Exordian · 2022-07-17T22:13:49Z

thanks for the review. i hope i find some minutes next week in order to test this change with the new admin UI and create an issue with a similar text as mentioned above.
the copyright headers felt quite inconsistent in keycloak, hence i avoided them. I can also add one, i don't mind too much

pedroigor

@Exordian If you can:

Update commit message to link the corresponding issuer
Add copyright headers as suggested by @sguilhen

Then we are good to go.

magicrobotmonkey · 2023-02-16T18:48:19Z

@Exordian can I help move this forward?

jonkoops · 2023-06-05T09:58:40Z

Superseded by #20699

Fixes keycloak#20695 Closes keycloak#11207

…0699) * Add support for single-tenant mode to Microsoft Identity Provider Fixes #20695 Closes #11207 * Add SocialLoginTest for Microsoft single-tenant variant

Social: microsoft - enable signle-tenant app reg

e89de09

sguilhen reviewed Jun 10, 2022

View reviewed changes

sguilhen requested review from pedroigor and ssilvert June 10, 2022 15:01

pedroigor reviewed Jun 14, 2022

View reviewed changes

stianst assigned pedroigor Aug 26, 2022

pedroigor reviewed Aug 26, 2022

View reviewed changes

Tasssadar mentioned this pull request May 31, 2023

Add support for single-tenant in Microsoft Identity Provider #20695

Closed

Tasssadar mentioned this pull request May 31, 2023

Add support for single-tenant mode to Microsoft Identity Provider #20699

Merged

jonkoops closed this Jun 5, 2023

ssilvert pushed a commit to Tasssadar/keycloak that referenced this pull request Oct 10, 2023

Add support for single-tenant mode to Microsoft Identity Provider

9f4e535

Fixes keycloak#20695 Closes keycloak#11207

pedroigor mentioned this pull request Apr 19, 2024

Cannot verify dynamic issuer with Entra ID (multi-tenant) when linking Entra ID / Microsoft as OpenID Connect identity provider #28662

Closed

2 tasks

Conversation

Exordian commented Apr 9, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Exordian commented Apr 9, 2022

Uh oh!

Exordian commented May 3, 2022

Uh oh!

sguilhen commented May 13, 2022

Uh oh!

Exordian commented Jun 9, 2022

Uh oh!

sguilhen Jun 10, 2022

Choose a reason for hiding this comment

Uh oh!

sguilhen left a comment

Choose a reason for hiding this comment

Uh oh!

sguilhen commented Jun 10, 2022

Uh oh!

ssilvert commented Jun 13, 2022

Uh oh!

pedroigor left a comment

Choose a reason for hiding this comment

Uh oh!

pedroigor commented Jun 14, 2022

Uh oh!

pedroigor commented Jun 14, 2022

Uh oh!

pedroigor commented Jun 14, 2022

Uh oh!

Exordian commented Jul 17, 2022

Uh oh!

pedroigor left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

magicrobotmonkey commented Feb 16, 2023

Uh oh!

jonkoops commented Jun 5, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Exordian commented Apr 9, 2022 •

edited

Loading

pedroigor left a comment •

edited

Loading