Import users for OIDC authmethod

mwieczorek · April 29, 2021, 3:29pm

I’m using Boundary v0.2.0 and would like to add OIDC authmethod and leave it as non-default, so users won’t be created automatically during the first ‘authenticate’. Instead of I’d like to control how I ‘import’ users, add to groups etc (using API)

I know I can add users/accounts and ‘link’ them together. I have a problem with the subject for the account.

If I use Auth0 - I can do it because sub in the token is set to userId from Auth0.
But for Azure AD (my preferred OIDC provider) it’s not possible to get sub for the user because it’s unique for each Azure AD Application (the same user will have a different sub for different Application), and not possible to get using MS Graph API.

Is there any ‘workaround’ now (or potentially in the future) to add users/accounts related to Azure AD by API without having the sub?
Or the only way to do it (today and in the future) is to set the Azure AD OIDC authmethod as the primary authmethod, wait until the user will ‘authenticate’ for the first time, and then properly ‘manipulate’ user/account/group (what won’t be the best UX)?

jimlambrt · April 29, 2021, 7:29pm

Good afternoon! Thank you for posting this question. You’re correct the current workflow is less than ideal and it’s something we want to address. For now, the only solution is the one you referenced: make the auth method the primary auth method.

mwieczorek · April 30, 2021, 3:11pm

That’s great it will be improved in the future.
Just curious, do you already know how it can be changed? I mean will the ‘subject’ be not required when creating an account (because as I wrote it’s not possible to get it from AAD)?
Also, is it worth creating an issue in the Boundary Github repo? To make it more visible to people looking for a solution there. Do you make any backlog prioritizing based on the issues created and ‘voted’ by people outside of boundary dev team?

jimlambrt · May 1, 2021, 1:50pm

github.com/hashicorp/boundary

OIDC: add support for account claim maps

Account claim maps are optional claim maps from custom claims to the standard claims of sub, name and email. These maps are represented as key=value where the key equals the from_claim and the value equals the to_claim. For example "oid=sub". We've added this new feature to support Providers like Azure, which have non-deterministic/discoverable subjects claims. Azure for instance, provides no method to determine a user's subject within a relying party unless you have the user's id_token. This makes it impossible to pre-provision Azure oidc accounts within Boundary unless you support mapping some other discoverable claim to the account's subject. Here is where account claim maps come to play.

hashicorp:main ← hashicorp:jimlambrt-oidc-acct-claim-map

opened 01:49PM - 01 May 21 UTC

jimlambrt

+1308 -185

jimlambrt · May 4, 2021, 11:18am

Please note the PR description which highlights that you can’t change how the “sub” claim is mapped once the auth-method is created: https://github.com/hashicorp/boundary/pull/1186#issue-628436510

mwieczorek · May 5, 2021, 9:22am

Thanks, that was really fast!
I built boundary from main branch, created auth-method with "oid=sub" claim mapping but getting error like:

upsertAccount%3A+mapping+%27claim%27+oid+to+account+subject+and+it+is+not+present+in+ID+Token%3A+unknown%3A+error+%230"%7D

It’s not indeed in id token, to get it we need to have ‘profile’ scope (Microsoft identity platform ID tokens - Microsoft identity platform | Microsoft Docs),

Request to
https://login.microsoftonline.com//oauth2/v2.0/authorize contains only scope=openid

I tried and modified the scope (adding profile) and it worked.
I don’t know if “scope=openid profile” should be added by default or also configured.

jimlambrt · May 5, 2021, 10:33am

 -claims-scopes=<string>
      The optional claims scope requested. May be specified multiple times.

jimlambrt · May 5, 2021, 10:36am

There’s one more PR you may be interested in, which makes all OIDC Callback URLs deterministic. FYI, all of this will be included in the 0.2.1. release.

mwieczorek · May 5, 2021, 11:04am

thank you!
I missed that because I was hacking the 0.2.0 version instead of the built one…
and yes, I’ve already seen change in callback URL pattern
All of that is making OIDC much simpler to set up.