Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft Entra ID authentication with multi-tenancy #14803

Merged
merged 6 commits into from
Apr 6, 2024

Conversation

gvkries
Copy link
Contributor

@gvkries gvkries commented Dec 1, 2023

Fixes Microsoft Entra ID authentication for multi-tenant app registrations by adding missing token validation.

Fixes #14802

@sebastienros
Copy link
Member

@MichaelPetrinolis what do you think?

@MichaelPetrinolis
Copy link
Contributor

@sebastienros when someone registers an AAD application for accounts in any organizational directory, he allows anyone with an AAD account to authenticate through this app.

@gvkries I think that we should also define the audiences (tenants) we wish to give access to the OC site and validate for those audiences, otherwise anyone with an enterprise Microsoft account could authenticate and then the script could potentially assign app roles to him.

If needed, an option to allow any tenant should be explicitly selected by the admin when configuring Microsoft Entra ID, but we should clearly state the consequences and provide an example with a secure script to assign roles (check the issuer of the claims etc.)

//cc: @kevinchalet what are your thoughts on this?

@gvkries
Copy link
Contributor Author

gvkries commented Dec 18, 2023

This PR just fixes the missing validation when multiple Azure AD tenants should be allowed. It must be explicitly configured in the Orchard configuration by setting the tenant ID to "common", so it has no security implications by default.

Configuring the allowed tenants would be a nice addition, but in many cases this is not the intention. We want to allow any user to register with their organization account the same way as with personal Microsoft (or other) accounts. It is also already possible to use the registration script to configure allowed tenants, by inspecting the tenant ID claim.

@MichaelPetrinolis
Copy link
Contributor

@gvkries it is nice that to enable it apart from configuring the App Registration in Entra ID you must also explicitly configure OC (we should update the docs about setting the value 'common' to TenantId). My concern is that we should also make it clear to anyone who enables the feature to correctly configure any role assignments through script or code with additional checks to avoid any security side effects. Unfortunately, it is not possible for the moment to deny login with the IExternalLoginEventHandler interface.
Indeed, configuring a valid audience (list of allowed tenants) could be another PR unless Entra ID already supports it.

@gvkries
Copy link
Contributor Author

gvkries commented Dec 18, 2023

@MichaelPetrinolis that is true, one cannot deny login with the script. I'm not that concerned about the login script, because it also must be explicitly written by an admin. There are no defaults that assign any roles at all, even the app registration must be configured manually before. Anyone configuring the authentication/registration settings are already exposed to a lot of possibly dangerous settings and hopefully know what they are doing. But documentation is always a good thing 😊

Copy link
Member

@Piedone Piedone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of questions, but otherwise I like this. When addressing review feedback, please adhere to the following:

  • Apply code suggestions directly so the reviewer doesn't have to eyeball the changes. These resolve themselves after applying them, that's fine.
  • Don't resolve other conversations so it's easier to track for the reviewer. Then, the reviewer will resolve them.
  • Feel free to mark conversations that you addressed to keep track of them with an emoji or otherwise, just don't resolve them.
  • Please keep conversations happening in line comment in those convos, otherwise communication will be a mess. If you have trouble finding them, see this video.
  • Please click "Re-request review" in the top-right corner for each reviewer when you're ready for another round of review, so they know that you're done.

@gvkries gvkries force-pushed the gvkries/ms-auth-14802 branch from 270a439 to eed022d Compare April 3, 2024 07:30
@gvkries gvkries requested a review from Piedone April 3, 2024 07:59
gvkries and others added 3 commits April 3, 2024 15:59
Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
@Piedone
Copy link
Member

Piedone commented Apr 6, 2024

Please don't forget to re-request review from the top-right corner, otherwise reviewers won't know that you're done.

@Piedone Piedone merged commit b6acaef into OrchardCMS:main Apr 6, 2024
4 checks passed
@Piedone
Copy link
Member

Piedone commented Apr 6, 2024

Great, thank you!

@gvkries gvkries deleted the gvkries/ms-auth-14802 branch April 6, 2024 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Multi-tenant Microsoft Entra ID authentication not working
4 participants