Skip to content

Security Integration with MS Azure not working #65684

New issue
New issue
Open
Open
Security Integration with MS Azure not working#65684
Labels
type/bugSomething isn't working
@qb1989

Description

@qb1989
qb1989
opened on Nov 18, 2025

Steps to reproduce the behavior (Required)

Step 0: Create an Azure App Registration

Follow the official Microsoft documentation to create a new Azure App Registration:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
After registration, note the Application (client) ID, Directory (tenant) ID, and generate a client secret for later use.

Step 1: Configure StarRocks for OAuth2 Authentication with Azure

CREATE SECURITY INTEGRATION azure_oauth2
PROPERTIES (
"type" = "authentication_oauth2",
"auth_server_url" = "https://login.microsoftonline.com//oauth2/v2.0/authorize",
"token_server_url" = "https://login.microsoftonline.com//oauth2/v2.0/token",
"client_id" = "",
"client_secret" = "",
"redirect_url" = "https://my-starrocks-url.com:8030/api/oauth2",
"jwks_url" = "https://login.microsoftonline.com//discovery/v2.0/keys",
"principal_field" = "sub",
"required_issuer" = "https://login.microsoftonline.com//v2.0",
"required_audience" = "",
"comment" = "Azure Entra ID OAuth2 integration"
)

ADMIN SET FRONTEND CONFIG (
"authentication_chain" = "azure_oauth2,native"
);

ADMIN SHOW FRONTEND CONFIG LIKE 'authentication_chain';

Expected behavior (Required)

  • When a user attempts to log in via the StarRocks web UI or API, the system should redirect the user to the Azure OAuth2 login page.
  • After successful authentication with Azure, the user should be redirected back and granted access to StarRocks according to the configured roles and permissions.
  • The authentication process should prioritize the azure_oauth2 security integration as specified in the authentication_chain configuration.
  • Users not present in the native user table but valid in Azure should be able to log in using their Azure credentials.

Real behavior (Required)

  • When attempting to log in, the system does not redirect to the Azure OAuth2 login page.
  • The authentication process only checks native users and does not appear to invoke the azure_oauth2 integration at all.
  • Users with valid Azure credentials are unable to log in unless they also exist as native users.
  • The expected OAuth2 authentication flow is never triggered, and only native authentication is attempted, regardless of the authentication_chain configuration.

StarRocks version (Required)

4.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions