Description
OAuth2-Proxy Version
7.8.2
Provider
entra-id
Expected Behaviour
Transparent refreshing AccessToken when needed
Current Behaviour
When running with Entra ID and Workload Identity refreshing/reedeming the refresh token doesn't work and fails:
[2025/04/11 13:36:16] [stored_session.go:193] Unable to refresh session:
error refreshing tokens: unable to redeem refresh token: failed to get token: oauth2: "invalid_client""AADSTS7000218:
The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 60110e49-47d5-46a6-bf85-a4249f3a0000
Correlation ID: fb527aa9-8f1d-48e5-a1e8-3daeb1e63835
Timestamp: 2025-04-11 11:36:03Z"
"https://login.microsoftonline.com/error?code=7000218"
Steps To Reproduce
Run oauth2-proxy with --cookie-refresh=120s and
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=<AZURE-CLIENT-ID>
AZURE_FEDERATED_TOKEN_FILE=<SOME TOKEN FILENAME>
AZURE_TENANT_ID=<AZURE-TENANT=ID>
OAUTH2_PROXY_PROVIDER=entra-id
OAUTH2_PROXY_CLIENT_ID=<AZURE-CLIENT-ID>
OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0
OAUTH2_PROXY_ENTRA_ID_FEDERATED_TOKEN_AUTH=true
OAUTH2_PROXY_COOKIE_EXPIRE=168h0m0s
OAUTH2_PROXY_COOKIE_HTTPONLY=true
OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
OAUTH2_PROXY_COOKIE_REFRESH=60m0s
OAUTH2_PROXY_COOKIE_SAMESITE=lax
OAUTH2_PROXY_COOKIE_SECRET=abcd1234abcd1234
OAUTH2_PROXY_COOKIE_SECURE=true
OAUTH2_PROXY_EMAIL_DOMAINS='*'
OAUTH2_PROXY_HTTP_ADDRESS=http://:4180
OAUTH2_PROXY_INSECURE_OIDC_SKIP_NONCE=false
OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_PASS_BASIC_AUTH=false
OAUTH2_PROXY_PROXY_PREFIX=/oauth2
OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://127.0.0.1:6379
OAUTH2_PROXY_REDIS_PASSWORD=
OAUTH2_PROXY_SCOPE=openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email
OAUTH2_PROXY_SESSION_STORE_TYPE=redis
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL=true
OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=false
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
Possible Solutions
Either upgrade OIDC to possibly get client assertion from ms-entra, or upgrade OIDC with support for any client assertion tool, so private_key_jwt or Federated Credentials with client assertion. (ref., #2909)
Replace OIDCProvider.GetClientSecret() string with a OIDCProvider.AuthenticateClient(oauth2.Config) oauth2.Config method
I would like to propose and make a initial bugfix to make workload identity work (I don't want to recreate our client secrets and maintenance scripts that I deleted :D), and look at the RFC above for a better long-term solution
Configuration details or additional information
Se #1979 for the initial implementation