OpenFGA go-sdk is not able to get the Token from Entra with the expected audience. #223
Description
Checklist
- I have looked into the README and have not found a suitable solution or answer.
- I have looked into the documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have upgraded to the latest version of OpenFGA and the issue still persists.
- I have searched the Slack community and have not found a suitable solution or answer.
- I agree to the terms within the OpenFGA Code of Conduct.
Description
This issue might be an Entra specific implementation. But Entra is an important IdP, we should take into consideration.
Imaging we have an App registration at Entra, its client id is 6b932e2c-b430-42cb-89a6-8e5a61f8132c , and when using OpenFGA CLI, we specified the api-audience to the client ID
api-url: https://localhost:8080
client-id: "6b932e2c-b430-42cb-89a6-8e5a61f8132c"
client-secret: "...."
api-audience: "6b932e2c-b430-42cb-89a6-8e5a61f8132c"
api-token-issuer: "https://sts.windows.net/<Your Azure Tenant Tenant ID>/oauth2/token"
By using OpenFGA CLI, we get an token from the client credentials flow, the aud claim in the token is 00000002-0000-0000-c000-000000000000, which is the application of Windows Azure Active Directory
Expectation
We are expecting to receive a token aud set to the App itself.
Reproduction
- Configure an App Registration in Entra
- Get the client_id and client_secret for your application
- Configure OpenFGA CLI and such that OpenFGA CLI is able to get a token from Entra.
3.1 We need a Debug version of OpenFGA to shows us the token that it get from Entra before sending request to OpenFGA Server - Decode the token, and check the
audclaim.
OpenFGA SDK version
latest
OpenFGA version
latest
SDK Configuration
via OpenFGA CLI
Logs
No response
References
This might related to Entra IdP Specifically,
Here is what we can repro the issue via curl
Test1
curl -X POST "https://sts.windows.net/<your azure tenant id>/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=6b932e2c-b430-42cb-89a6-8e5a61f8132c&client_secret=....."
We get a token, and decode the token, we see the aud claim is not 6b932e2c-b430-42cb-89a6-8e5a61f8132c
Test 2
curl -X POST "https://sts.windows.net/<your azure tenant id>/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=6b932e2c-b430-42cb-89a6-8e5a61f8132c&client_secret=.....&resource=6b932e2c-b430-42cb-89a6-8e5a61f8132c"
We get another token, and decode the token, we see the aud claim is 6b932e2c-b430-42cb-89a6-8e5a61f8132c as expected.
The SDK implementation right before making a Token request, https://github.com/openfga/go-sdk/blob/main/credentials/credentials.go#L119-L126, it does not specify resource, as the Test1 of the curl command, hence we got the issue.
That means, if OpenFGA server is configured OIDC Authn with Entra, people cannot use OpenFGA CLI get the right token that should be expected by the server. The OpenFGA server should not expect the audience that tied to Windows Azure Active Directory in your Azure tenant.