How to setup OPA for Azure AD?

[mukundv18]

I am new to OPA as well as Azure AD. I have written the following sample config for OPA,

services:
  wmtopa:
    credentials:
      oauth2:
        token_url: https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
        client_id: "<CLIENT_ID>"
        client_secret: "<CLIENT_SECRET>"

Registered a new application on Azure AD and configured it with Client Secret.

When the authentication is triggered, I get the following logs from OPA,

{"client_addr":"127.0.0.1:54232","level":"info","msg":"Received request.","req_id":2,"req_method":"PRI","req_path":"*","time":"2022-05-17T04:55:27Z"}
{"client_addr":"127.0.0.1:54232","level":"info","msg":"Sent response.","req_id":2,"req_method":"PRI","req_path":"*","resp_bytes":0,"resp_duration":0.119711,"resp_status":301,"time":"2022-05-17T04:55:27Z"}

What am I missing? Should something be configured in the Application Registration on Azure AD or should is there something missing in the config file for OPA?

[anderseknert]

Hey there! 😃 I’m on my phone right now, but did you check out https://www.openpolicyagent.org/docs/latest/management-bundles/#azure-blob-storage

while you might not use blob storage, the credentials part should be the same, I imagine.

[srenatus]

Should something be configured in the Application Registration on Azure AD or should is there something missing in the config file for OPA?

Have you done anything beyond what you've shared in the message? Without a system policy checking a token, or something; OPA will not magically do authentication. What you've configured are the secrets to use when talking to the Azure AD service -- nothing more. No authentication logic will be enforced from configuring that alone. See https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization for details.

[anderseknert]

Good points! Either way, this looks intriguing:

"req_method":"PRI","req_path":"*"

🕵️

[srenatus]

HTTP2?

[anderseknert]

Huh, did not know they extended the set of request headers. Gotta read up on that I suppose :)

[mukundv18]

Yes. It is HTTP2

[mukundv18]

My understanding about checking the tokens was that it is used only for authenticating data based on the bearer tokens. However, I wanted to perform authentication for all users of a group in Azure AD.
Since the document mentioned this configuration to talk to AzureAD, I assumed, providing this data should automatically authenticate only the users part of the group in Azure AD

[srenatus]

💡 Now we're getting somewhere. So you'd need to make an HTTP request to Azure AD from your Rego policy. I'm afraid you'll need to deal with client credentials on your own here: you'd need to provide the proper headers to http.send making an API call to Azure AD to lookup groups based on...whatever you get in your incoming request that you'd like to look up. What do you want to use for that? I.e. what's going to be in the query to Azure AD?

[mukundv18]

Query to Azure AD should only authenticate the user trying to talk to Redis.

[srenatus]

What's in the request that you're using to identify the user? Some token?

[mukundv18]

Yeah, we can send token and username and password for the same.

[srenatus]

So what's the Azure AD HTTP API you want to send a request to? Have you located the relevant documentation?

[mukundv18]

@srenatus ,
After some good reading, I believe I have a better understanding of how it should work. So, what we want to achieve is that the Envoy should send the token via grpc to OPA and OPA should validate the token on Azure AD.
So how should the System policy be for OPA? Does Envoy talk to OPA via grpc or http? If http, how to pass the token from Envoy to OPA for validation?
Is there a way to see the Request coming from Envoy to OPA?

[mukundv18]

Hi @srenatus ,
I was also going through the examples available at https://play.openpolicyagent.org/p/YhkhFJDVr9
All the example are for http calls. So my questions is, do calls from Envoy to OPA come always as HTTP calls?
Also, where do I see the input received by OPA. That will help me debug the issues better and test my policy opa oxplorer (https://play.openpolicyagent.org/p/YhkhFJDVr9)

[ashutosh-narkar]

The input OPA receives from Envoy can be found here. The communication between OPA and Envoy is over grpc.

[mukundv18]

Hi @ashutosh-narkar ,
Thanks! I did go through the document. However, what I wanted to know was if I can see the input in any logs? May be by enabling a flag for the OPA logs?