Setting up OIDC in boundary with AzureAD

boundary-AzureAD.sh

#! /bin/bash
#
# `az login` must be run first
#

BOUNDARY_ADDR=https://boundary.ric-lnd.ric.aws.hashidemos.io:9200

if [ -f "boundary_auth_created.json" ]; then
  echo "removing previous OIDC"
  boundary auth-methods delete -id $(jq -r  .item.id boundary_auth_created.json)
fi


BOUNDARY_SCOPE_ID=$(boundary scopes list -format=json | jq -r .items[].id)

AUTH_SP_NAME=ric-consul-oidc

AUTH_CLIENT_SECRET=MyBoundaryTestPasswordChangeMe
AUTH_TENANT=$(az account show |jq -r '.tenantId')

AUTH_REDIRECT_URL1=http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
AUTH_REDIRECT_URL2=${BOUNDARY_ADDR}/v1/auth-methods/oidc:authenticate:callback

az ad app create --display-name ${AUTH_SP_NAME} \
  --password ${AUTH_CLIENT_SECRET} \
  --reply-urls ${AUTH_REDIRECT_URL1} ${AUTH_REDIRECT_URL2} \
  --output none

AUTH_CLIENT_ID=$(az ad app list --display-name ${AUTH_SP_NAME} |jq -r '.[0].appId')

boundary auth-methods create oidc \
    -format=json \
    -name azure \
    -description "Azure OIDC auth-method for ProdOps" \
    -scope-id=global \
    -allowed-audience=$AUTH_CLIENT_ID \
    -api-url-prefix=$BOUNDARY_ADDR \
    -client-id=$AUTH_CLIENT_ID \
    -client-secret=$AUTH_CLIENT_SECRET \
    -signing-algorithm=RS256 \
    -issuer=https://login.microsoftonline.com/${AUTH_TENANT}/v2.0 > boundary_auth_created.json


jq . boundary_auth_created.json

boundary auth-methods change-state oidc -id $(jq -r .item.id boundary_auth_created.json) -state active-public

boundary scopes update -primary-auth-method-id $(jq -r .item.id boundary_auth_created.json) -id global

boundary authenticate oidc -auth-method-id $(jq -r .item.id boundary_auth_created.json)