You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently only the client_secret can be used, which is an App password. They are inherently harder to rotate, and cannot be automated (e.g. in Azure through AKV, which supports auto-rotation of certificates).
Even better if the certificate could be automatically reloaded if it changes on the file system (this feature would work very well with Kubernetes Secrets Store CSI Driver, allowing an E2E automatic rotation of the App's credentials in AAD).
Motivation
Currently only the client_secret can be used, which is an App password. They are inherently harder to rotate, and cannot be automated (e.g. in Azure through AKV, which supports auto-rotation of certificates).
Instead of only allowing for the client secret, it would be great if the certificate-based flow was supported.
Even better if the certificate could be automatically reloaded if it changes on the file system (this feature would work very well with Kubernetes Secrets Store CSI Driver, allowing an E2E automatic rotation of the App's credentials in AAD).
Possible solution
Implement the certificate-based flow to request access tokens (e.g. in
oauth2-proxy/providers/azure.go
Line 325 in 66bfd8e
Provider
azure
The text was updated successfully, but these errors were encountered: