Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Native Authentication Method #1833

Merged
merged 12 commits into from
May 27, 2024
Merged

Azure Native Authentication Method #1833

merged 12 commits into from
May 27, 2024

Conversation

dangtony98
Copy link
Collaborator

@dangtony98 dangtony98 commented May 15, 2024
edited

Description 📣

This PR adds the new Azure authentication method to Identities.

With this method, Azure resources like Azure VMs avoid secret zero by not needing to store an additional token to authenticate with Infisical. Instead, they can use their managed identity access tokens to prove their identity to Infisical — this works by relaying the managed identity access token through Infisical to be verified against the public key at the Azure AD OpenID configuration endpoint; if successful and certain allow conditions are met, then the entity is considered authenticated and an access token granting access to the Infisical API is returned.

Workflow:

  1. The operator sets up the Azure authentication method in Infisical. As part of the setup, they specify what Service Principal IDs can be trusted. They also specify the Tenant ID and (optional) Audience param included in the managed identity access tokens as part of the authentication method configuration.
  2. The operator programs the client application in Azure to retrieve its managed identity access tokens and send it to the /api/v1/auth/azure-auth/login endpoint containing the identityId that they are authenticating as and the jwt as params (in practice this would likely be done via SDK or other client but it can also be done manually).
  3. Infisical verifies the JWT token using the public key obtained from the Azure AD OpenID configuration endpoint.
  4. If successful, then Infisical checks the returned identity service principal ID (referred to as oid field on the JWT payload) against Allowed Service Principal IDs defined in step 1.
  5. If successful, then Infisical returns an identity access token (similar to in Universal Auth).

Note: The Azure authentication method will require additional engineering work for clients like Infisical Agent and SDKs to support it.

Type ✨

  • Bug fix
  • New feature
  • Breaking change
  • Documentation

@dangtony98 dangtony98 marked this pull request as draft May 15, 2024 23:33
@dangtony98 dangtony98 marked this pull request as ready for review May 16, 2024 06:23
@dangtony98 dangtony98 requested a review from maidul98 May 16, 2024 06:23
DanielHougaard
DanielHougaard reviewed May 19, 2024
View reviewed changes
Copy link
Collaborator

@DanielHougaard DanielHougaard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, I've left out any nits and only commented on important things.

backend/src/server/routes/v1/identity-azure-auth-router.ts Show resolved Hide resolved
backend/src/services/identity-access-token/identity-access-token-dal.ts Outdated Show resolved Hide resolved
backend/src/services/identity-azure-auth/identity-azure-auth-service.ts Outdated Show resolved Hide resolved
DanielHougaard
DanielHougaard requested changes May 20, 2024
View reviewed changes
Copy link
Collaborator

@DanielHougaard DanielHougaard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One last comment!

docs/documentation/platform/identities/machine-identities.mdx Outdated Show resolved Hide resolved
DanielHougaard
DanielHougaard previously approved these changes May 20, 2024
View reviewed changes
@dangtony98 dangtony98 merged commit b9782c1 into main May 27, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanielHougaard DanielHougaard DanielHougaard left review comments

@maidul98 maidul98 Awaiting requested review from maidul98

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dangtony98 @DanielHougaard