Dex auth issues conflict between local and external when adding Microsoft Auth

[csanadpoda]

Validation Checklist

• I confirm that this is a Kubeflow-related issue.
• I am reporting this in the appropriate repository.
• I have followed the Kubeflow installation guidelines.
• The issue report is detailed and includes version numbers where applicable.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).
• This issue pertains to Kubeflow development.
• I am available to work on this issue.
• You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

master

Detailed Description

Following an installation from manifests to a bare metal cluster (managed by RKE2 if that matters - this is NOT AKS!), I'm trying to add Microsoft Auth to Dex in addition to the default Dex email login. I'm following the guide from the docs, however I get an error about issuer mismatch:

time=2025-11-07T14:13:34.813Z level=ERROR msg="connector returned error when creating callback" connector_id=azure err="expected callback URL "http://dex.auth.svc.cluster.local:5556/dex/callback" did not match the URL in the config "https://kubeflow..sslip.io/dex/callback"" request_id=8340c6af-c1d0-4524-baf1-d8818718f3bf

Obviously I cannot add a local URI as a Redirect URI to the Azure App Registration, so I added https://kubeflow.<my-ip>.sslip.io/dex/callback, but all internals are signed as http://dex.auth.svc.cluster.local:5556/dex. Editing the Dex configmap to contain issuer: https://kubeflow.<my-ip>.sslip.io/dex also doesn't work since that then breaks the regular email login.

How do I set Dex up when deploying Kubeflow from the manifests to enable both regular email login (e.g. user@example.com) but also Azure AD/Microsoft login via Dex?

Steps to Reproduce

1. Install Kubeflow via manifests
2. Create an Azure App registration
3. Add Azure OIDC login as described in the README
4. Try to log in via Azure

Screenshots or Videos (Optional)

No response

[juliusvonkohout]

To me it is not clear what you are exactly doing, but when I wrote the documentation and tested it, i just used the example that i provide in the documentation and filled in the variables.

[csanadpoda]

To me it is not clear what you are exactly doing, but when I wrote the documentation and tested it, i just used the example that i provide in the documentation and filled in the variables.

That is exactly what I did, what would you need to identify the issue?

[juliusvonkohout]

To me it is not clear what you are exactly doing, but when I wrote the documentation and tested it, i just used the example that i provide in the documentation and filled in the variables.

That is exactly what I did, what would you need to identify the issue?

Time, I usually offer such debugging as paid commercial consulting, except for people who contribute a lot. So please expect significant delays.

[csanadpoda]

To me it is not clear what you are exactly doing, but when I wrote the documentation and tested it, i just used the example that i provide in the documentation and filled in the variables.

That is exactly what I did, what would you need to identify the issue?

Time, I usually offer such debugging as paid commercial consulting, except for people who contribute a lot. So please expect significant delays.

That's okay, thank you. Something that doesn't make sense to me is how this could even work in the first place, since in common/dex/overlays/oauth2-proxy/config-map.yaml the value is issuer: http://dex.auth.svc.cluster.local:5556/dex which is a local http issuer and Azure requires a public http**s** issuer, but if you replace that with - in my case - https://kubeflow.<my-ip>.sslip.io/dex then the regular Dex auth won't work since all other components rely on the issuer to be http://dex.auth.svc.cluster.local:5556/dex and then that breaks. So either I do:

apiVersion: v1
data:
  config.yaml: |
    issuer: http://dex.auth.svc.cluster.local:5556/dex
   ...
    - type: oidc
      id: azure
      name: azure
      config:
        issuer: https://login.microsoftonline.com/$TENANT_ID/v2.0
        redirectURI: https://kubeflow.51.124.97.222.sslip.io/dex/callback
        clientID: $AZURE_CLIENT_ID
        clientSecret: $AZURE_CLIENT_SECRET
        insecureSkipEmailVerified: true
        scopes:
        - openid
        - profile
        - email

And then default Dex email login works but Azure login doesn't (expected callback URL "[http://dex.auth.svc.cluster.local:5556/dex/callback"](http://dex.auth.svc.cluster.local:5556/dex/callback/%22) did not match the URL in the config "[https://kubeflow..sslip.io/dex/callback"](https://kubeflow.%3Cmy-ip%3E.sslip.io/dex/callback/%22%22)) or

apiVersion: v1
data:
  config.yaml: |
    issuer: https://kubeflow.51.124.97.222.sslip.io/dex
   ...
    - type: oidc
      id: azure
      name: azure
      config:
        issuer: https://login.microsoftonline.com/$TENANT_ID/v2.0
        redirectURI: https://kubeflow.51.124.97.222.sslip.io/dex/callback
        clientID: $AZURE_CLIENT_ID
        clientSecret: $AZURE_CLIENT_SECRET
        insecureSkipEmailVerified: true
        scopes:
        - openid
        - profile
        - email

and then Azure login works and default Dex email login doesn't (500 Internal Server Error on the UI).

[juliusvonkohout]

Then please check on ths slack channel whether someone can help you and fix this in a PR. I am currently busy with the 1.11 release.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.