Send the resource parameter in the authentication URL for the Azure OAuth2 integration
Problem to solve
GitLab's current authentication integration with Azure OAuth2, which uses the omniauth-azure-oauth2 gem, does not support sending a resource
parameter in the /authorize
URL to Azure AD. This is necessary for some customers to apply conditional access policies for users authenticating through Azure AD.
From the customer in ticket https://gitlab.zendesk.com/agent/tickets/147570 (internal use only)
The conditional access rule in AzureAD requires MFA outside of your company network and within our company network the MFA must be not fulfilled. And due to the fact that the resource id is not sent as a URL parameter, AzureAD does not prompt for MFA and got the error message that
Could not authenticate you from AzureOauth2 because "Interaction required: aadsts50076: due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
Intended users
Further details
This issue proposes supporting the resource
parameter when authenticating through the Azure OAuth2 provider. It is unclear whether this is not supported because of the processing of Azure OAuth parameters in GitLab, or if the gem we use doesn't support sending the resource parameter.
The gem does mention passing the resource parameter as a setting. This would be passed outside of the TenantInfo
, which are defined in the args
block of the Azure config in the gitlab.rb
file. Anything passed outside the args
block isn't currently passed on to the Omniauth strategy gem for the provider. This could be the cause, but it could also be that the gem we use doesn't support passing the resource
parameter in the URL.
Microsoft Docs for OAuth 2.0 code grant flow
Proposal
- Support passing the
resource
parameter to the Devise config for the Azure Omniauth provider (outside of theargs
block) and see if that change results in passing this parameter in the URL to Azure. - If the above strategy doesn't solve the issue, it may be the case that the gem used in this integration does not support passing the
resource
parameter directly in the URL to Azure.
Permissions and Security
Configuration would be set in the GitLab configuration file by an administrator. This integration is available on all tiers.
Documentation
Change docs for Azure OAuth2: https://docs.gitlab.com/ee/integration/azure.html
Availability & Testing
OmniAuth Initializer Spec: https://gitlab.com/gitlab-org/gitlab/-/blob/v12.9.2-ee/spec/lib/gitlab/omniauth_initializer_spec.rb OmniAuth Specs: https://gitlab.com/gitlab-org/gitlab/-/tree/v12.9.2-ee/spec/lib/gitlab/auth
What does success look like, and how can we measure that?
The resource
parameter is passed to Azure successfully in the /authorize?
URL as part of the authentication process. This should support MFA.
What is the type of buyer?
The Azure OAuth2 integration is supported on all tiers.
Is this a cross-stage feature?
I don't think so, just authentication