OAuth2 authentication (azure, microsoft, ...)

michalslovik · September 16, 2020, 9:10pm

Hi All,

I would like ask if this is relevant Oauth2 authentication or only google auth is supported ?

Or is possible to authenticate with Microsoft (OAuth2), like
https://docs.rstudio.com/connect/1.8.4/admin/authentication/oauth2/

If yes:
How to map

YAML:

openid:
    client-id:  OK
    client-secret: OK
    auth-url    ???
    token-url  ??? 
    jwks-url   ???

Into

[Authentication]
Provider = oauth2
Lifetime = 24h

[OAuth2]
ClientId = XXXXXXX
ClientSecret = XXXXXXXX
Logging = true
RequireUsernameClaim = https://login.microsoftonline.com/XXXXXXXX/oauth2/authorize

Thanks

Hong · September 17, 2020, 1:21am

The AzureAuth package provides OAuth2 authentication to AAD. If you run into problems, you can ask here or open an issue at the Github repo.

michalslovik · September 17, 2020, 6:01am

Hi @Hong. Thank you for your answer. But this package is possible to run inside of running application on RStudio Connect, but I would like to login into RStudio Connect using this Azure OAuth2 if is possible.

rstub · September 17, 2020, 5:28pm

I am not sure where the YAML code comes from. The necessary ClientId is generated when you register the application. It is called "Application (client) ID" in the overview page. You can create a new ClientSecret in the "Certificates & secrets" page.

michalslovik · September 17, 2020, 5:38pm

Hi @rstub. The YAML is from shinyproxy application, which was used as template. Because clientId and secretId are there also. But I did not found any URL specification, so rstudio-connect always try to use google auth, but I would like to change it to microsoft.

rstub · September 21, 2020, 11:58am

In the Azure portal on the overview page of your app you can click on "Endpoints". This will give you a list of relevant URLs including the "OpenID Connect metadata document" of the form https://login.microsoftonline.com/<your Directory (tenant) ID>/v2.0/.well-known/openid-configuration. From the docs we have

To use a provider other than Google, an OpenID Connect issuer must be defined on OAuth2.OpenIDConnectIssuer . The issuer must be an HTTPS URL and the location of the /.well-known/openid-configuration discovery metadata for OpenID Connect.

So OpenIDConnectIssuer should be set to https://login.microsoftonline.com/<your Directory (tenant) ID>/v2.0/.

michalslovik · September 21, 2020, 11:58am

Thanks @rstub. In the meantime we switch to SAML and that works fine. I think your answer is fine, but I will try it another time.