OIDC setup on Filestash using Azure

This document describe how to setup the OpenID connector of Azure in Filestash. It is split onto 2 parts, the setup and configuration of:

1) the IDP

2) the application

STEP1: IDP Configuration

Configuring the IDP has a couple steps:

1) register an application

2) create a policy

3) create a secret

Register an application

Assuming you have already setup Azure AD B2C on your account:

The first step is to register an application:

The redirection URI must be on the form of http://your_domain/api/session/auth/.

Policy

Next step is to have a policy setup:

If that’s not the case, create one:

and follow the wizard:

In our scenario the policy name is “B2C_1_test”. Take note of it, we will need it later on when setting up our application.

Get your clientID and client secret

Let’s head to the overview tab of the app registration:

the clientID you will need to configure in Filestash is what’s visible in Azure as “Application (client) ID” which in my case is “c504f6fa-39ca-44e5-ba27-f272d906c7a6”. Take note of it, we will need it later in the setup of the application.

We then need to generate a client secret by blicking on the “Add a certificate or secret” button”, follow the wizard:

until we can extract the actual secret:

in my case it is: “gY58Q~7Rwqy4~nqUFGruVL1j84e7p7o5z3T81a5O”. Write it down somewhere, we will need it later on.

STEP2: Application configuration

To establish the connection between the app and the Azure IDP, we will need to fill the OIDC authentication middleware in Filestash. A working setup might look like this:

Field1: OpenID Config URL

You can get the value for this field by navigating on the application registration:

The URL contains a variable for the policy name which should match the relevant User Flows Policy previously made here, in our case “B2C_1_test” making in our case the following openid-configuration link

Field2: Client ID

That’s one of the fields I’ve asked you to write down in STEP1 => Get your clientID and client secret

Field3: Client Secret

That’s one of the fields I’ve asked you to write down in STEP1 => Get your clientID and client secret

Field4: Scope

In its default setup, Azure doesn’t comply with the OIDC spec and doesn’t give an access token in its token response unless you specify in the scope the appID of your application. To get the appID for your application, you need access the app registration manifest:

and enter that value back in your scope configuration:

Failing to do so will give you a “Oops! Not Allowed” error message with the following messages in your logs:

2024/11/04 16:13:14 SYST DEBUG session::authMiddleware 'backend connection failed map[timestamp:2024-11-04T16:13:14+11:00] - Not Allowed'
2024/11/04 16:13:14 HTTP 307 GET 1365.3ms /api/session/auth/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..yoe25AWqup3VONud.HCIy4ACebTUfRyoNwNzCQVWAHn45vzIpNDTZmRr8sOVy8LYryhmEMlrqiz_yVlWfTcVSibImWhbkd1StkwT1xHF_ssYiy8KRWNoaasIzNcZdtbhalXX0JEgA8_RU1vJiflQKEiuDf6H54vlFC4fNpPHqtLiHFcDhnMXjNh2xlzIbSpF3szyGx02D_Eb4R95K_Xqyc6WGeheTfOWjxsQQVX_oiXGp6I1SODj1edCWP3UfTHRh1b1X75Fr_SoVRBztrsdz-5_FeErC5koF8l7hSfU2brKqB0-wCR6Ynb4cMJw3iKwtKOKBvHavp4eAD01x7dRkGhMj8dABdYo6fYKiThlDrLj3ArgCd8RpkB9RqKtBpQy3cwSyIp4MZGibqeWx_sS-il1WieGd5eXCJIH1jFuPaxXJpw0MmBfOKRiK8otK0MX9TunYgwmRPBDGV0dLtQrF3L-tKWqdaORYB6pIhjCN0VwDyFSYEuyZtmbb75d8__4qQgO234D4eRDhYzr6SDgY6mkLZ5Q0V9uZNar47fufLX0cdvxitjA3rljOn4G2rOk.JcBCb9GRQ7nXHnOjkd-Ogw
2024/11/04 16:13:14 HTTP 200 GET    1.3ms /?error=Not%20Allowed&trace=backend%20error%20-%20Not%20Allowed

Another limitation is Azure OIDC don’t provide a user info endpoint to extract user profile information given an access token. The great care of Microsoft torward OIDC is at full display in this report, please talk to your Microsoft representative so they can fix their implementation to follow the specs.