25,148 questions
I have an 403 error trying to use microsoft azure OIDC with my kubeflow application
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 40%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
Nelson Nwajie
5
Reputation points
I am setting up kubeflow to have my authentication and authorization through azure active directory and completely avoid dex
I have edited the oidc-authservice-parameters config map as follows;
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-authservice-parameters
namespace: istio-system
data:
AUTHSERVICE_URL_PREFIX: https://<my domain>/authservice/
OIDC_REDIRECT_URI: https://<my domain>/authservice/oidc/callback
OIDC_AUTH_URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
OIDC_PROVIDER: https://login.microsoftonline.com/<tenant-id>/v2.0
OIDC_SCOPES: profile email
STORE_PATH: /var/lib/authservice/data.db
SKIP_AUTH_URLS: ""
CLIENT_ID: <client_id>
APPLICATION_SECRET: <client secret>
USERID_CLAIM: email
USERID_HEADER: kubeflow-userid
USERID_PREFIX: ""
this is my dex config map, though i dont actaully need it as i am completely going through AAD for OIDC
apiVersion: v1
kind: ConfigMap
metadata:
name: dex
namespace: auth
data:
config.yaml: |
issuer: https://login.microsoftonline.com/<tenant_id>/v2.0
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
logger:
level: "debug"
format: text
oauth2:
skipApprovalScreen: true
staticClients:
- idEnv: OIDC_CLIENT_ID
redirectURIs: ["/login/oidc"]
name: 'Dex Login Application'
secretEnv: OIDC_CLIENT_SECRET
connectors:
- type: microsoft
id: microsoft
name: Microsoft
config:
clientID: <client id>
clientSecret: <client secret>
redirectURI: https://<my domain>/authservice/oidc/callback
scopes:
- profile
- email
On azure, i have registered an app and set the redirect_uri to https:///authservice/oidc/callback and given a api permission of openid, email and profile, user.read(default).
when i go to .com it takes me to microsoft login page, i log in successfully but after the login session i get a 403 error page
How can i resolve this....It is not directing me to my kubeflow application.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
James Hamil 27,221 Reputation points Microsoft Employee Moderator2023-07-12T20:45:53.8666667+00:00 Hi @Nelson Nwajie , it seems like you have configured the OIDC settings correctly. This error might be related to the RBAC settings in your Kubeflow deployment.
Please check the following for me and let me know the results:
- Check the RoleBinding and ClusterRoleBinding resources in your Kubeflow deployment to ensure that the authenticated user has the necessary permissions.
- If the authenticated user is missing the required permissions, you can create a new RoleBinding or ClusterRoleBinding to grant the user access to the Kubeflow dashboard.
Let me know if this fixes it or if you have any more questions.
Best,
James
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2023-07-31T08:05:48.7533333+00:00 @Nelson Nwajie Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Sign in to comment
Sign in to answer