Azure Provider will now query for groups#1514
Azure Provider will now query for groups#1514tschechniker wants to merge 4 commits intooauth2-proxy:masterfrom
Conversation
JoelSpeed
left a comment
JoelSpeed
left a comment
There was a problem hiding this comment.
Would be keen to see if anyone who knows Azure a bit better has any input on this, eg @pierluigilenoci perhaps
| // Default Groipe URL for Azure. | ||
| // Pre-parsed URL of https://graph.microsoft.com/v1.0/me. | ||
| azureDefaultGroupURL = &url.URL{ | ||
| Scheme: "https", | ||
| Host: "graph.microsoft.com", | ||
| Path: "/v1.0/me/transitiveMemberOf/microsoft.graph.group", | ||
| } |
There was a problem hiding this comment.
Is any configuration of the Azure application required to enable this to work or should it work with default configurations (is this likely to be a breaking change for anyone)
There was a problem hiding this comment.
This Path is also odd. You should probably just be calling /me here.
I'm pretty sure you'll need at least one of the permissions here: https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-19
| ProfileURL *url.URL | ||
| ProtectedResource *url.URL | ||
| ValidateURL *url.URL | ||
| GroupURL *url.URL |
There was a problem hiding this comment.
This isn't a common pattern for other providers, most of the time the groups should be included within the profile or ID tokens returned, do we really want to add this for all providers?
|
@JoelSpeed unfortunately Azure Provider has a lot of problems but I am on the side of those who suffer from it. |
|
I use Azure frequently. I can provide some thoughts on this. |
| var groups []string | ||
| for url != "" { | ||
| logger.Printf("Calling Group API: %s", url) | ||
| json, err := requests.New(url). |
There was a problem hiding this comment.
What scopes did you test this with? Calling the graph API requires a graph scoped access token unless I'm wrong.
This would mean you used the scope https://graph.microsoft.com/.default which would generate a token with the graph audience which isn't necessarily correct for upstream applications.
| for _, doc := range json.Get("value").MustArray() { | ||
| for k, v := range doc.(map[string]interface{}) { | ||
| if k == "displayName" { | ||
| groups = append(groups, v.(string)) |
There was a problem hiding this comment.
This will panic if v is nil with
http: panic serving [::1]:58156: interface conversion: interface {} is nil, not string
| azureDefaultGroupURL = &url.URL{ | ||
| Scheme: "https", | ||
| Host: "graph.microsoft.com", | ||
| Path: "/v1.0/me/transitiveMemberOf/microsoft.graph.group", |
There was a problem hiding this comment.
This path requires high privileges like Directory.Read.All otherwise it won't work(e.g. will retrieve nil as value for displayName key).
One approach that might not need extended permissions could be to use /v1.0/me/getMemberGroups instead, but in this case there are no trivial ways to find if a group is part of another group. Authentication might fail in this case when it shouldn't(e.g. a user will be denied even if he is part of a group that is part of the group configured in the oauth2-proxy allowed-group list).
There was a problem hiding this comment.
Even /v1.0/me/getMemberGroups requires Directory.Read.All permissions based on my testing 😞
There was a problem hiding this comment.
Why not using id instead of displayName(in getGroupsFromJSON method) when checking if a user is part of group or not? In this way we don't need elevated permissions anymore.
Or put the groups field selection(id or displayName) behind a config flag and let users choose which one fits best for their needs.
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
This is still an issue |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
This is still an issue |
|
@tschechniker could you take a look? |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
@tschechniker could you please fix the PR? |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
This is still an issue. |
|
@adriananeci your PR solve also this? |
|
@JoelSpeed could you please reopen this? |
|
@tschechniker could you try if the latest version of the proxy works for your problem? |
|
This should be resolved in the latest update, please advise otherwise in the related issue if that's not the case |
|
Hello, The Anyway if we use Azure OAuth v1.0 with OAuth2 Proxy in a version greater or equal to the 7.2.1, the groups are not retrieved at all. So we are still using OAuth2 Proxy 7.2.0 at the moment. |
7 participants
Description
The Azure Provider did not query for groups. I added the azure graph api call to resolve the groups of the logged in user
Motivation and Context
How Has This Been Tested?
Tested with Azure environment.
Checklist: