Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with custom signing keys (kid) when using claims mapping in Azure AD #1204

Open
dertodestod opened this issue Dec 8, 2023 · 1 comment
Labels

Comments

@dertodestod
Copy link

About You:
Name: Thomas

Your question:
Hi everyone,

we were able to succesfully connect Tableau with our Amazon Athena environment using the recently released Amazon Athena connector which supports OAuth authentication (https://help.tableau.com/current/pro/desktop/en-us//amazon_athena_idp.htm).

To make it work we 'combined' the configs found at https://github.com/tableau/connector-plugin-sdk/blob/master/samples/components/oauth/athena.okta.xml and https://github.com/tableau/connector-plugin-sdk/blob/master/samples/components/oauth/redshift.azure.xml and we are using Azure Ad/Entra Id as our IdP.

That works relatively well, however we are missing the ability to use multiple IAM roles with 1 application via SAML Assertions (e.g. 'https://aws.amazon.com/SAML/Attributes/Role') which we are getting with a similar SAML setup for other tools using for example JDBC. Now we want to use something like AWS IAM Session tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp) or Source Identity (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-assume-role-web-id) but for that we need custom claims in our Azure application so the fields are available in the jwt token.

Now, the problem is when we add custom claims Azure is using a different signing key as Microsoft themselves state in their documentation:

"If the application has custom signing keys as a result of using the claims-mapping feature, append an appid query parameter that contains the application ID. For validation, use jwks_uri that points to the signing key information of the application. For example: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=535fb089-9ff3-47b6-9bfb-4f1264799865 contains a jwks_uri of https://login.microsoftonline.com/{tenant}/discovery/keys?appid=535fb089-9ff3-47b6-9bfb-4f1264799865."

"Apps that have claims mapping enabled must validate their token signing keys by appending appid={client_id} to their OpenID Connect metadata requests."

See https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-the-signature or https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#validate-token-signing-key.

That means as soon as we attach custom claims to the application the key (kid) in the jwt token is changed on Azure side but the Tableau connector still uses the default keys from https://login.microsoftonline.com/{tenant}/discovery/keys which leads to mismatching keys and errors.

Unfortuately, I don't see a way of telling Tableau to use the custom OpenID Connect metadata links or just a custom jwks_uri (which appends the appid) because in the pluginOAuthConfig .xml file I can only define the authUri and tokenUri.

Can you let me know if there is a way to change that behavior of the Tableau connector via some configuration? If not, do you think it's possible to add a configuration for this to support these custom claims when using Azure?
Thanks a lot.

Best regards
Thomas

@lukewrites
Copy link
Member

Internal tracking: W-14661582

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants