AF
Ash Framework•4mo ago
triptoe

AshAuthentication trusted audiences

Hello, I'm in the process of deploying a multi-tenant application internally in my company. I'm authenticating users against Microsoft Entra ID using the OAuth2 strategy. We have two tenants that I need to allow users to authenticate from and wish to use the trusted_audiences to ensure that a user signs in from one of the tenants, but reject all others. I have set it up as described in the docs, but when I test it locally by only allowing a "fake" audience in the list of trusted audiences, I'm still authorized to login. Do I have to do anything else to make this work, or have I misunderstood something? 
  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end
  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end
Solution:
So it seems like my options are: 1. Change to using OIDC strategy. Supports trusted_audiences but struggles with using the /common/.well-known/openid-configuration endpoint because it contains a placeholder {tenantid} in its issuer which is not supported natively by assent. This cause the issuer validation to fail, because the issuer in my token contains my real tenant-id. Could work, but requires a custom strategy? 2. Continue with using OAuth2 strategy. Works out of the box with multi-tenant applications, but needs to implement a custom trusted_audience handler either as a change function or in auth controller success callback (and then deny access unless audience matches allow-list)....
Jump to solution
7 Replies
ZachDaniel
ZachDaniel•4mo ago
Hm...I'm not really sure how trusted audiences work. @jart?
triptoe
triptoeOP•4mo ago
It could be that I don't either 😅 I just assumed that it would only allow those specified.
jart
jart•4mo ago
Honestly no idea. We just pass the options through to assent to use.
triptoe
triptoeOP•4mo ago
Aha, I see. After a short search in the assent Github repo, it seems like it's only actually being used for the OIDC strategy. https://github.com/search?q=repo%3Apow-auth%2Fassent%20trusted_audiences&type=code
GitHub
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
From An unknown user
From An unknown user
From An unknown user
triptoe
triptoeOP•4mo ago
So if I wish to do some kind of custom validation (after the strategy has completed), where's the best way to put it? As a change function in my :register_with_azure create action, or would you just put it in the auth_controller callback?
Solution
triptoe
triptoe•4mo ago
So it seems like my options are: 1. Change to using OIDC strategy. Supports trusted_audiences but struggles with using the /common/.well-known/openid-configuration endpoint because it contains a placeholder {tenantid} in its issuer which is not supported natively by assent. This cause the issuer validation to fail, because the issuer in my token contains my real tenant-id. Could work, but requires a custom strategy? 2. Continue with using OAuth2 strategy. Works out of the box with multi-tenant applications, but needs to implement a custom trusted_audience handler either as a change function or in auth controller success callback (and then deny access unless audience matches allow-list).
ZachDaniel
ZachDaniel•4mo ago
Yeah that sounds correct to me

Did you find this page helpful?