rename provider to entra-id

oauth2-proxy · Jun 11, 2024 · 21e69b5 · 21e69b5
1 parent 1d23418
commit 21e69b5
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 20 deletions.
diff --git a/docs/docs/configuration/providers/ms_entra_id.md b/docs/docs/configuration/providers/ms_entra_id.md
@@ -149,8 +149,8 @@ Admin consent is required after creation by Terraform
 
 ## Configure provider
 The provider is OIDC-compliant, so all the OIDC parameters are honored. Additional provider-specific configuration parameters are:
-* `ms-entra-id-skip-groups-from-graph` - never read groups from Graph API, even when the ID token indicates that there's a group overage. Set if you expect group overage in some cases, but still don't want to assign wide `GroupMember.Read.All`. Defaults to `false`. If you don't need groups, consider skipping the `groups` claim in the app registration.
-* `ms-entra-id-multi-tenant-allowed-tenant` - specify a list of allowed tenants to be authenticated through multi-tenant app. When not set, all tenants are allowed. Defaults to `[]` (all tenants).
+* `entra-id-skip-groups-from-graph` - never read groups from Graph API, even when the ID token indicates that there's a group overage. Set if you expect group overage in some cases, but still don't want to assign wide `GroupMember.Read.All`. Defaults to `false`. If you don't need groups, consider skipping the `groups` claim in the app registration.
+* `entra-id-allowed-tenant` - specify a list of allowed tenants to be authenticated through multi-tenant app. When not set, all tenants are allowed. Defaults to `[]` (all tenants). Doesn't have effect when using single-tenant app.
 
 ### Scope
 For Azure-only apps (multi-tenant and single-tenant), the only required OAuth scope is `openid`:
@@ -166,7 +166,7 @@ It's recommended to configure the scopes explicitly, otherwise, you may experien
 ### Single-tenant
 Simple single-tenant configuration:
 ```shell
-- --provider=ms-entra-id
+- --provider=entra-id
 - --oidc-issuer-url=https://login.microsoftonline.com/{tenantId}/v2.0
 - --client-id=<valid-client-id>
 - --client-secret=<valid-client-secret>
@@ -176,7 +176,7 @@ Simple single-tenant configuration:
 ### Multi-tenant
 Multi-tenant apps require you to disable OIDC issuer verification, as `issuer` field in the [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) is a template, not an exact value:
 ```shell
-- --provider=ms-entra-id
+- --provider=entra-id
 - --oidc-issuer-url=https://login.microsoftonline.com/common/v2.0
 - --client-id=<valid-client-id>
 - --client-secret=<valid-client-secret>
@@ -186,12 +186,12 @@ Multi-tenant apps require you to disable OIDC issuer verification, as `issuer` f
 
 The configuration above insecurely allows all tenants. To allow specific tenants, use the configuration below as an example:
 ```shell
-- --provider=ms-entra-id
+- --provider=entra-id
 - --oidc-issuer-url=https://login.microsoftonline.com/common/v2.0
 - --client-id=<valid-client-id>
 - --client-secret=<valid-client-secret>
-- --ms-entra-id-multi-tenant-allowed-tenant=66209a4a-80f3-4602-8126-2193115722f8
-- --ms-entra-id-multi-tenant-allowed-tenant=a47d1522-8e8c-4546-a2c8-d6590ea9d6f3
+- --entra-id-allowed-tenant=66209a4a-80f3-4602-8126-2193115722f8
+- --entra-id-allowed-tenant=a47d1522-8e8c-4546-a2c8-d6590ea9d6f3
 - --insecure-oidc-skip-issuer-verification
 - --scope=openid profile email
 ```
diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go
@@ -488,8 +488,8 @@ type LegacyProvider struct {
 	KeycloakGroups                         []string `flag:"keycloak-group" cfg:"keycloak_groups"`
 	AzureTenant                            string   `flag:"azure-tenant" cfg:"azure_tenant"`
 	AzureGraphGroupField                   string   `flag:"azure-graph-group-field" cfg:"azure_graph_group_field"`
-	MSEntraIDSkipGroupsFromGraph           bool     `flag:"ms-entra-id-skip-groups-from-graph" cfg:"ms_entra_id_skip_groups_from_graph"`
-	MSEntraIDMultiTenantAllowedTenants     []string `flag:"ms-entra-id-multi-tenant-allowed-tenant" cfg:"ms_entra_id_multi_tenant_allowed_tenants"`
+	EntraIDSkipGroupsFromGraph             bool     `flag:"entra-id-skip-groups-from-graph" cfg:"entra_id_skip_groups_from_graph"`
+	EntraIDAllowedTenants                  []string `flag:"entra-id-allowed-tenant" cfg:"entra_id_allowed_tenants"`
 	BitbucketTeam                          string   `flag:"bitbucket-team" cfg:"bitbucket_team"`
 	BitbucketRepository                    string   `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
 	GitHubOrg                              string   `flag:"github-org" cfg:"github_org"`
@@ -552,8 +552,8 @@ func legacyProviderFlagSet() *pflag.FlagSet {
 	flagSet.StringSlice("keycloak-group", []string{}, "restrict logins to members of these groups (may be given multiple times)")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("azure-graph-group-field", "", "configures the group field to be used when building the groups list(`id` or `displayName`. Default is `id`) from Microsoft Graph(available only for v2.0 oidc url). Based on this value, the `allowed-group` config values should be adjusted accordingly. If using `id` as group field, `allowed-group` should contains groups IDs, if using `displayName` as group field, `allowed-group` should contains groups name")
-	flagSet.Bool("ms-entra-id-skip-groups-from-graph", false, "when set, MS Entra ID provider doesn' try to read groups from microsoft graph even in case of group overage")
-	flagSet.StringSlice("ms-entra-id-multi-tenant-allowed-tenant", []string{}, "list of tenants allowed for MS Entra ID multi-tenant application")
+	flagSet.Bool("entra-id-skip-groups-from-graph", false, "when set, MS Entra ID provider doesn' try to read groups from microsoft graph even in case of group overage")
+	flagSet.StringSlice("entra-id-allowed-tenant", []string{}, "list of tenants allowed for MS Entra ID multi-tenant application")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
@@ -712,8 +712,8 @@ func (l *LegacyProvider) convert() (Providers, error) {
 	}
 
 	provider.MicrosoftEntraIDConfig = MicrosoftEntraIDOptions{
-		DisableGroupsFromGraph:    l.MSEntraIDSkipGroupsFromGraph,
-		MultiTenantAllowedTenants: l.MSEntraIDMultiTenantAllowedTenants,
+		DisableGroupsFromGraph: l.EntraIDSkipGroupsFromGraph,
+		AllowedMultiTenants:    l.EntraIDAllowedTenants,
 	}
 
 	switch provider.Type {

diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go
@@ -30,7 +30,7 @@ type Provider struct {
 	KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
 	// AzureConfig holds all configurations for Azure provider.
 	AzureConfig AzureOptions `json:"azureConfig,omitempty"`
-	// AzureConfig holds all configurations for Azure provider.
+	// MicrosoftEntraIDConfig holds all configurations for Entra ID provider.
 	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `json:"microsoftEntraIDConfig,omitempty"`
 	// ADFSConfig holds all configurations for ADFS provider.
 	ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
@@ -103,8 +103,8 @@ const (
 	// AzureProvider is the provider type for Azure
 	AzureProvider ProviderType = "azure"
 
-	// AzureProvider is the provider type for Azure Entra OIDC
-	MicrosoftEntraIDProvider ProviderType = "ms-entra-id"
+	// MicrosoftEntraIDProvider is the provider type for Entra OIDC
+	MicrosoftEntraIDProvider ProviderType = "entra-id"
 
 	// BitbucketProvider is the provider type for Bitbucket
 	BitbucketProvider ProviderType = "bitbucket"
@@ -161,8 +161,8 @@ type AzureOptions struct {
 }
 
 type MicrosoftEntraIDOptions struct {
-	DisableGroupsFromGraph    bool     `json:"disableGroupsFromGraph,omitempty"`
-	MultiTenantAllowedTenants []string `json:"multiTenantAllowedTenants,omitempty"`
+	DisableGroupsFromGraph bool     `json:"disableGroupsFromGraph,omitempty"`
+	AllowedMultiTenants    []string `json:"allowedMultiTenants,omitempty"`
 }
 
 type ADFSOptions struct {

diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go
@@ -46,7 +46,7 @@ func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *Micros
 		OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
 
 		skipGraphGroups:           opts.MicrosoftEntraIDConfig.DisableGroupsFromGraph,
-		multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.MultiTenantAllowedTenants,
+		multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedMultiTenants,
 		isMultiTenant:             strings.Contains(opts.OIDCConfig.IssuerURL, "common"),
 		microsoftGraphURL:         microsoftGraphURL,
 	}

diff --git a/providers/ms_entra_id_test.go b/providers/ms_entra_id_test.go
@@ -137,7 +137,7 @@ func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {
 				InsecureSkipNonce:              true,
 			},
 			MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{
-				MultiTenantAllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
+				AllowedMultiTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
 			},
 		},
 	)