[Bug]: Azure AD (Entra ID) documentation recommends unnecessarily wide permission #2772
Labels
Comments
|
Most other solutions only need the |
|
This will not be changed for the current azure ad implementation as it is going to be deprecated. This issue has been addressed in #2390 and will soon be merged and released |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OAuth2-Proxy Version
7.6.0
Provider
azure
Expected Behaviour
The documentation should recommend the DELEGATED permission GroupMember.Read.All which will allow the application to read the group membership of only the user currently signing in. This grants access to much less data: "Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to." We tested this internally and confirmed that the permission allows oauth2-proxy to verify group memberships.
Current Behaviour
The documentation recommends the application permission Group.Read.All which grants access to a lot more data than necessary: "Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user." My understanding is it also grants access to all files and calendars in those groups as well (see: https://learn.microsoft.com/en-us/graph/permissions-reference#groupreadall).
Steps To Reproduce
The documentation is Step 3 on https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/azure
Possible Solutions
No response
Configuration details or additional information
No response
The text was updated successfully, but these errors were encountered: