You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
In many corporate environments, it is a common pattern to implement a MITM firewall for outgoing connections. For the "microsoft" connector, connectivity from a Dex installation to Entra ID needs to traverse to https://login.microsoftonline.com/<TENANT>.onmicrosoft.com/... to request the bearer token as part of the authorisation flow.
The corporate firewall has a MITM proxy so it can do traffic inspection. However by doing so, the TLS connection is terminated early with a replacement CA of the organisation's internal PKI.
Proposed Solution
It seems that the Dex microsoft connector is missing support for two features to make this possible:
Support for Custom CAs - level=error msg="Failed to authenticate: microsoft: failed to get token: Post \"https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/token\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
I believe RootCA has been implemented in other connectors, but not this one.
Support for http_proxy
This can be worked around by forcing a http[s]_proxy env variable into the container, but is not ideal as it affects the whole dex installation. It would be preferable if this is also part of the connector config.
Alternatives Considered
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered:
Preflight Checklist
Problem Description
In many corporate environments, it is a common pattern to implement a MITM firewall for outgoing connections. For the "microsoft" connector, connectivity from a Dex installation to Entra ID needs to traverse to
https://login.microsoftonline.com/<TENANT>.onmicrosoft.com/...to request the bearer token as part of the authorisation flow.The corporate firewall has a MITM proxy so it can do traffic inspection. However by doing so, the TLS connection is terminated early with a replacement CA of the organisation's internal PKI.
Proposed Solution
It seems that the Dex microsoft connector is missing support for two features to make this possible:
Support for Custom CAs -
level=error msg="Failed to authenticate: microsoft: failed to get token: Post \"https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/token\": tls: failed to verify certificate: x509: certificate signed by unknown authority"I believe RootCA has been implemented in other connectors, but not this one.
Support for http_proxy
This can be worked around by forcing a
http[s]_proxyenv variable into the container, but is not ideal as it affects the whole dex installation. It would be preferable if this is also part of the connector config.Alternatives Considered
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered: