9 replies

AshAuthentication trusted audiences

Hello, I'm in the process of deploying a multi-tenant application internally in my company. I'm authenticating users against Microsoft Entra ID using the OAuth2 strategy. We have two tenants that I need to allow users to authenticate from and wish to use the

trusted_audiences

trusted_audiences

trusted_audiences

trusted_audiences to ensure that a user signs in from one of the tenants, but reject all others.

I have set it up as described in the docs, but when I test it locally by only allowing a "fake" audience in the list of trusted audiences, I'm still authorized to login. Do I have to do anything else to make this work, or have I misunderstood something?

  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end

  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end

  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end

  authentication do
    strategies do
      oauth2 :azure do
        base_url MyApp.Domain.Account.Secrets
        user_url MyApp.Domain.Account.Secrets
        token_url MyApp.Domain.Account.Secrets
        authorize_url MyApp.Domain.Account.Secrets
        redirect_uri MyApp.Domain.Account.Secrets
        client_id MyApp.Domain.Account.Secrets
        client_secret MyApp.Domain.Account.Secrets
        trusted_audiences MyApp.Domain.Account.Secrets  # <- Getting a list of trusted audiences
        authorization_params scope: "email profile openid"
        registration_enabled? true

        identity_relationship_name :user_identity
        identity_resource MyApp.Domain.Account.UserIdentity
      end
    end

    tokens do
      enabled? true
      token_lifetime {24, :hours}
      store_all_tokens? true
      require_token_presence_for_authentication? true
      session_identifier :jti
      token_resource MyApp.Domain.Account.UserToken
      signing_secret MyApp.Domain.Account.Secrets
    end
  end

Solution

So it seems like my options are:
1. Change to using OIDC strategy. Supports

trusted_audiences

trusted_audiences

trusted_audiences

trusted_audiences but struggles with using the

/common/.well-known/openid-configuration

/common/.well-known/openid-configuration

/common/.well-known/openid-configuration

/common/.well-known/openid-configuration endpoint because it contains a placeholder

{tenantid}

{tenantid}

{tenantid}

{tenantid} in its issuer which is not supported natively by assent. This cause the issuer validation to fail, because the issuer in my token contains my real tenant-id.
Could work, but requires a custom strategy?

2. Continue with using OAuth2 strategy. Works out of the box with multi-tenant applications, but needs to implement a custom

trusted_audience

trusted_audience

trusted_audience

trusted_audience handler either as a

change

change

change

change function or in auth controller success callback (and then deny access unless audience matches allow-list).

Jump to solution

AshAuthentication trusted audiences

Similar Threads

Similar Threads

Similar Threads