Search code examples
azureoauth-2.0azure-active-directoryhpcazure-authentication

Figuring out an (Azure) OAuth2 authorization flow for HPC command line utilities

I'm pretty new to Azure/OAuth2 so apologies if this is a simple problem. My head's spinning though and I'd appreciate some pointers.

I'm developing a command line utility for use in a high performance compute cluster. This utility needs to access a REST API which is secured using Azure's OAuth2 implementation.

I'm struggling to get my head around how my client utility should be getting auth codes. My intended flow looks like this...

  1. User gets a terminal on a random HPC node and invokes client on the command line
  2. Client finds it needs a new access code
  3. Client generates a URL for the user to visit and prints it to terminal
  4. Client starts a server to listen for the code at the redirect URL
  5. User opens a browser on their local machine (NOT the machine the client is running on) and gives credentials
  6. Client receives code via redirect,
  7. Client tears down server and proceeds with the rest of the OAuth2 flow before accessing the API.

I'm falling over between steps 5 and 6. I'm seeing "No reply address is registered for the application" in the browser after providing credentials. I think Azure wants me to specify a reply address in the app registration so it can validate the reply address in the client-generated URL. The problem is, I can't feasibly give one! Here's why...

  1. Terminal only client: Means no GUI browsers on the client machine. I.E. Can't use 'localhost' as a reply address
  2. Thousands of potential client hosts: My client could be invoked on any of the thousands of nodes in our compute cluster. This makes listing all potential redirect URIs in the app's Azure registration unfeasible. I.E. I can't have users consent using a browser on a different machine because then I'd have to insert and maintain a reply address for every host in our cluster!

Is what I'm trying to achieve even possible using Azure? I feel like my flow is either wrong or my use-case unsupported. I've read a bit about a 'device flow' in the OAuth2 spec which looks like it may be useful. However, I haven't seen any indication that Azure supports this.

My next step would be to route all code replies via a proxy with a known, static, URI. This feels like more work than I ought to be doing to get this working though, so wanted to run this past the experts first ;)

Thoughts appreciated!

Thanks,

Mark.

Solution

  • It kinda sounds like a case for OAuth Device flow: https://joonasw.net/view/device-code-flow

    The flow - a helicopter view

    • App makes HTTP POST to the device code endpoint
    • Gets response with:
      • User code
      • Device code
      • Verification URL
      • Expiry time
      • Polling interval
      • Friendly message
      • Shows message to user so they can open a browser and go to the verification URL
    • App starts polling the token endpoint at the defined polling interval, waits for a 200 OK
    • User opens browser, goes to verification URL, enters the user code
    • User signs in with their account
    • App receives 200 OK with:
      • Access token
      • Refresh token
      • Id token

    My blog article has detailed HTTP requests you need to make, but the main point of it is to allow authentication on browserless devices.