Does it work it with ADFS 2012R2 (Active Directory Federation Services)?

[rerime]

Does it work it with ADFS 2012R2 or 2016 (Active Directory Federation Services)?
OAUTH 2.0?
Please provide documentation how to setup.

[bnfinet]

@simongottschlag has recently contributed #68 for ADFS support.

I'm uncertain about support for ADFS 2012R2 specifically but I think it should work with an oauth.provider: oidc config such as...

oauth:
  provider: oidc
  client_id: yourclientId
  client_secret: ***
  auth_url: https://adfs.example.com/adfs/oauth2/authorize/
  token_url: https://adfs.example.com/adfs/oauth2/token/
  user_info_url: https://adfs.example.com/adfs/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://auth.example.com/auth

@simongottschlag does that look right to you? ^^

See PR #68 and issue #65 for further discussion.

@rerime please do let us know if that works. I'll leave this open for now.

[simongottschlag]

Hi,

The following works:

vouch:
  logLevel: warning
  listen: 0.0.0.0
  port: 80
  AllowAllUsers: true
  cookie: 
    name: VouchCookie
    domain: example.com
    secure: true
    httpOnly: true
  headers:
    jwt: X-Vouch-Token
    querystring: access_token
    redirect: X-Vouch-Requested-URI
  session:
    name: VouchSession
  jwt:
    secret: secret
    maxAge: 59
oauth:
  provider: adfs
  client_id: clientId
  client_secret: secret
  auth_url: https://adfs.example.com/adfs/oauth2/authorize/
  token_url: https://adfs.example.com/adfs/oauth2/token/
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.example.com/auth

Only tested with ADFS 2016 (v4). You can try the following:

$name = 'vouch'
$environment = 'dev'
$vouchProxyAddr = "https://auth.example.com/auth"

$ClientRoleIdentifier = "$name-$environment".ToLower()
$ServerRoleIdentifier = @(
    "$name`://$environment",
    $vouchProxyAddr
)

New-AdfsApplicationGroup -Name "$ClientRoleIdentifier" -ApplicationGroupIdentifier "$ClientRoleIdentifier"
$ADFSApp = Add-AdfsServerApplication -Name "$ClientRoleIdentifier - Server application" -ApplicationGroupIdentifier "$ClientRoleIdentifier" -RedirectUri $ServerRoleIdentifier -Identifier "$ClientRoleIdentifier" -GenerateClientSecret

$params = @{
    Name="$ClientRoleIdentifier - Web API"
    ApplicationGroupIdentifier="$ClientRoleIdentifier"
    Identifier=$ServerRoleIdentifier
    IssueOAuthRefreshTokensTo="AllDevices"
    RefreshTokenProtectionEnabled=$false
    AccessControlPolicyName="Permit specific group"
    AccessControlPolicyParameters=@{
        GroupParameter=$LoginGroupName
    }
}

Add-AdfsWebApiApplication @params

Grant-AdfsApplicationPermission -ClientRoleIdentifier $ClientRoleIdentifier -ServerRoleIdentifier $ServerRoleIdentifier[0] -ScopeNames @('allatclaims','profile','openid')
Write-Output "`r`nPlease write down and save the following Client Secret: $($ADFSApp.ClientSecret)`r`n"

Please note that I've shortened the above down a bit, so may have missed something. I'm usually issuing claims based on groups as well for kubernetes roles - but doesn't really matter in this case.

[rerime]

@simongottschlag All builds are failed.
https://travis-ci.com/vouch/vouch-proxy/builds
Not sure where release/stable version.

[bnfinet]

We're still getting the ci/cd infra and full coverage testing in place. We expect tests to fail for some time here, probably until 'v1.0.0'

…

On Thu, Feb 21, 2019, 7:57 PM rerime ***@***.*** wrote: @simongottschlag <https://github.com/simongottschlag> All build are failed. https://travis-ci.com/vouch/vouch-proxy/builds Not sure where release/stable version. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#77 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK69KJqxYbleLEL1XAeTNlY-dTc7WMks5vPqzigaJpZM4bBBc1> .

[bnfinet]

@rerime do you have any other questions? If not could you please close this issue?

[rerime]

I was trying to run oauth with Azure AD with the followng config file:

provider: oidc
client_id: 
client_secret: 
auth_url: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize 
token_url: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
scopes:
  - openid
  - email
callback_url: https://myapp.example.org/auth

Start docker with
docker run -d -p 9090:9090 --name vouch-proxy -v ${PWD}/config:/config -v ${PWD}/data:/data voucher/vouch-proxy

docker logs {container_id}:

time="2019-02-25T14:53:59Z" level=warning msg="generating random jwt.secret and storing it in config/secret"
time="2019-02-25T14:53:59Z" level=warning msg="generating random session.key"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x804e47]

goroutine 1 [running]:
github.com/vouch/vouch-proxy/pkg/cfg.setDefaults()
        /go/src/github.com/vouch/vouch-proxy/pkg/cfg/cfg.go:403 +0x967
github.com/vouch/vouch-proxy/pkg/cfg.init.0()
        /go/src/github.com/vouch/vouch-proxy/pkg/cfg/cfg.go:152 +0x143

Could you provide valid config in example or I can verify it by myself.

[bnfinet]

Is that the entire config? Could you please take a look at the examples in the ./config directory of this code base.