Kubernetes and AAD authentication

7/10/2018

On configured AKS there is docker container with application that is using AAD authentication.

Based on this article there is also configured ingress. API is working well.

When I add to Azure Active Directory application registration reply URL with https prefix I receive error "The reply url specified in the request does not match the reply urls configured for the application". And I see that in browser address line redirect_uri is starting with http.

When I add reply URL that is starting with http, then I receive "Exception: Correlation failed".

What I have tried: Add to ingress.yaml setting ingress.kubernetes.io/force-ssl-redirect: "true"

May be there is some way to force ingress run https instead of http, or there might be some AAD redirect configuration? Any ideas?

UPDATE 2: Probably http redirect is because of ADAL.

PS: Was able to find similar topic without an answer

UPDATE3: I have decided not to use nginx as ingress. Instead I am using now Load balancer. Soon it would be possible to use Azure Application Gateway Ingress Controller

-- Alexej Sommer
azure-active-directory
azure-kubernetes
kubernetes-ingress

2 Answers

7/12/2018

Have you tried this?

By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.

This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.

More information on this on the Ingress documentation link.

-- Mihail Stancescu
Source: StackOverflow

7/29/2018

You have to make a decision whether to use HTTPS or not. If this is just the start of a development cycle, start without it and get auth to work - but implement HTTPS as soon as possible.

AAD supports both http and https, but of course, the reply urls must be added to the application registration respectively.

As @mihail-stancescu says, ssl-redirect must be set to false, if you choose not to use HTTPS. In addition to this, you also have to ensure that your app does not make the redirect from HTTP to HTTPS.

Using curl with -L -k and -v options will give you a lot of information on what is actually happening with your requests.

When the http/https thing is solved, you have to remove any rewrite annotations you have in your ingress. (e.g. ingress.kubernetes.io/rewrite-target: / should be removed).

Now, if your ingress path to the service in question is e.g. /myservice, then the reply-url should also have that part of the path added ([host]/myservice/signin-oidc) - both in the AAD application registration and in the configuration of your app. (The path in the config should not contain the host)

If you are using https, then you must also have a proper certificate. You can use the free LetsEncrypt (https://letsencrypt.org/) in conjunction with KubeLego (https://github.com/jetstack/kube-lego), where you can find some nice examples on how to implement it.

-- TechnoCowboy
Source: StackOverflow