OAuth with Azure AD?


#1

Hello,

I have a local docker-compose based setup to test authentication against Azure AD (Office365). On the Azure AD side, I created a Concourse application and set http://localhost/sky/issuer/callback and https://127.0.0.1/sky/issuer/callback as reply URLs.

In the docker-compose.yml, I have the following environment variables configured:

    - CONCOURSE_OAUTH_DISPLAY_NAME='Our Office 365'
    - CONCOURSE_OAUTH_CLIENT_ID=<redacted client id>
    - CONCOURSE_OAUTH_CLIENT_SECRET=<redacted client secret>
    - CONCOURSE_OAUTH_AUTH_URL=https://login.microsoftonline.com/<redacted app id>/oauth2/authorize
    - CONCOURSE_OAUTH_TOKEN_URL=https://login.microsoftonline.com/<redacted app id>/oauth2/token
    - CONCOURSE_MAIN_TEAM_OAUTH_USER=my.redacted@email.com

When trying to login with my email address, I go through the flow to end with the following error in Concourse:

Internal Server Error:
Failed to return user's identity.

I assume I miss some setting like CONCOURSE_OAUTH_SCOPE, but I don’t know which value to use for Azure AD. Can anyone help?

Ringo


#2

A few hours later, I got a bit of progress by switching to OpenID Connect:

    - CONCOURSE_OIDC_DISPLAY_NAME='Our Office 365'
    - CONCOURSE_OIDC_CLIENT_ID=<redacted client id>
    - CONCOURSE_OIDC_CLIENT_SECRET=<redacted client secret>
    - CONCOURSE_OIDC_ISSUER=https://login.microsoftonline.com/<redacted tenant id>/v2.0
    - CONCOURSE_OIDC_SCOPE=openid,email,profile
    - CONCOURSE_MAIN_TEAM_OIDC_USER=my.redacted@email.com

I can login with my email on the web portal, but a fly login on this local running Concourse still fails. So at the moment, I’m still unable to verify whether I’m part of the main team.