Scenario 5: Azure AD CLI Authentication

Objective: Authenticate to the guest cluster KAS using an Azure AD OIDC token obtained via the device code flow, proving end-to-end external OIDC authentication works.

KAS endpoint: https://api-brcox-sm-dev-hc.brcox.hcp-sm-azure.azure.devcluster.openshift.com:443

Overall Scenario 5: PASS — All 4 checks verified.

Step	Check	Result	Evidence
1	Azure AD app configured for public client (device code flow)	PASS	`isFallbackPublicClient=true`
2	Device code flow obtains ID token from Azure AD	PASS	ID token returned after browser sign-in with device code
3	ID token authenticates to guest cluster KAS	PASS	`kubectl --token auth whoami` returned user identity (not Unauthorized)
4	User identity recognized correctly	PASS	Username: `br...@redhat.com`

Commands & Outputs

Step 1: Enable public client flow for device code authentication

$ az ad app update --id d638131c-...dbc1 \
    --is-fallback-public-client true

# (silent success)

Why public client? The device code flow is designed for CLI/device scenarios where the client cannot securely store a secret. Setting isFallbackPublicClient=true allows the app to act as a public client when no secret is provided (CLI flow), while still acting as a confidential client when the secret IS provided (console authorization code flow).

Step 2: Obtain ID token via device code flow

# Request device code
$ curl -s -X POST \
    "https://login.microsoftonline.com/520cf09d-...73b09/oauth2/v2.0/devicecode" \
    -d "client_id=d638131c-...dbc1&scope=openid+profile+email"

{
  "user_code": "FFFQPDPUY",
  "verification_uri": "https://login.microsoft.com/device",
  "expires_in": 900,
  "message": "To sign in, use a web browser to open the page
              https://login.microsoft.com/device and enter the code FFFQPDPUY"
}

# User completes browser sign-in, then exchange device code for tokens
$ curl -s -X POST \
    "https://login.microsoftonline.com/520cf09d-...73b09/oauth2/v2.0/token" \
    -d "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code\
&client_id=d638131c-...dbc1&device_code=<DEVICE_CODE>"

# ID token obtained successfully

Steps 3 & 4: Authenticate to guest cluster with OIDC token

$ kubectl --server="https://api-brcox-sm-dev-hc.brcox.hcp-sm-azure.azure.devcluster.openshift.com:443" \
    --token="${ID_TOKEN}" --insecure-skip-tls-verify auth whoami

ATTRIBUTE   VALUE
Username    br...@redhat.com
UID         aaa1f0e0-...f06f
Groups      [aad:da60a6c8-...945b
             aad:378cec49-...be46
             aad:fde71898-...99b
             aad:9339b2f3-...8597
             aad:0ebcb799-...0217
             aad:bd761c62-...905f
             aad:10f926ca-...506c
             system:authenticated]

← Scenario 4 Scenario 6 →