Adding yet another URL to the list of URLs that needs to be set requires strong justification IMO. Does Azure not provide a specific profile URL in the V2 version which allows you to fetch the groups and other information? Can you link to documentation that shows you must use a separate call to access group information

@JoelSpeed the GroupURL has a default value pointing to Microsoft Graph, so it is not mandatory to be explicitly set.

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of object IDs that it includes in the groups claim.

If a user is member of more groups than the overage limit (200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the user's group membership. See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim for more details

If a user is member of more groups than the overage limit (200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the user's group membership. See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim for more details

Yikes! If a user is a member of more that 200 groups, do we really want to be storing that much data in our session anyway? Seems like we will have incredible session bloat

Yikes! If a user is a member of more that 200 groups, do we really want to be storing that much data in our session anyway? Seems like we will have incredible session bloat

Unfortunately many users using our apps fronted by an auth proxy were hitting this limitation 😞 . The workaround was to suggest them unsubscribing to some groups until they get to a reasonable number.

@JoelSpeed @braunsonm I think this PR is ready for a last round of reviews. I've tested it with both V1(https://sts.windows.net/{tenant-id}/) and V2(https://login.microsoftonline.com/{tenant-id}/v2.0) Azure Auth endpoints.

The only still non working thing is the --resource flag. It is currently broken in the latest version(v7.2.1) based on #1505 and I think it should be addressed in a followup PR since changes on this PR has nothing to do with this problem.

Looking forward for your feedback.

@adriananeci wouldn't #1505 be solved by using the graph token that you're generating here? Not sure if you looked into the issue anymore but seems like it should be fixed or nearly fixed by this change.

@adriananeci wouldn't #1505 be solved by using the graph token that you're generating here? Not sure if you looked into the issue anymore but seems like it should be fixed or nearly fixed by this change.

I've already tried it, but it was failing while fetching the email address from oidc userinfo endpoint. :(

Error redeeming code during OAuth2 callback: unable to get claims from token: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "400": {"error":{"code":"UnknownError","message":"Token must contain sub claim."

@adriananeci wouldn't #1505 be solved by using the graph token that you're generating here? Not sure if you looked into the issue anymore but seems like it should be fixed or nearly fixed by this change.

I've already tried it, but it was failing while fetching the email address from oidc userinfo endpoint. :(

Error redeeming code during OAuth2 callback: unable to get claims from token: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "400": {"error":{"code":"UnknownError","message":"Token must contain sub claim."

Aha! I'm pretty sure this is similar to what I mentioned in our other discussion about the email. I've seen that. Did you add the profile and openid scopes and the optional email claim in the token settings? Just curious if you were able to get the email to appear in the userinfo endpoint because that does sound like a problem with this kind of client credentials flow?

@braunsonm yup, all scopes were added during token acquisition:

result, err = app.AcquireTokenByCredential(ctx, []string{"openid", "email", "profile", azureGraphURL.String()})

Just curious if you were able to get the email to appear in the userinfo endpoint

I wasn't able to access the userinfo endpoint due to

Error redeeming code during OAuth2 callback: unable to get claims from token: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "400": {"error":{"code":"UnknownError","message":"Token must contain sub claim."

I've checked the token claims and the sub claim was present, so something strange might be happening.

Can this be due to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#client-limitations ?

Can this be due to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#client-limitations ?

No, oauth2-proxy doesn't use the implicit flow

Thank you @adriananeci for your effort! 🚀

@adriananeci any update?

@adriananeci any update?

I don't have any updates, I'm looking forward for any feedback from the maintainers or other interested parties. Not sure what or how to proceed further.

CI is failing most probably because slices.Contains statement is part of go 1.18 and CI runs using go 1.17. It is failing with:

GO111MODULE=on golangci-lint run
Error: level=warning msg="[runner] Can't run linter goanalysis_metalinter: bodyclose: failed prerequisites: [[email protected]/oauth2-proxy/oauth2-proxy/v7 [github.com/oauth2-proxy/oauth2-proxy/v7.test]: analysis skipped: errors in package: [/home/runner/work/oauth2-proxy/oauth2-proxy/oauthproxy.go:35:2: could not import github.com/oauth2-proxy/oauth2-proxy/v7/pkg/middleware (/home/runner/work/oauth2-proxy/oauth2-proxy/pkg/middleware/stored_session.go:14:2: could not import github.com/oauth2-proxy/oauth2-proxy/v7/providers (/home/runner/work/oauth2-proxy/oauth2-proxy/providers/azure.go:12:2: could not import golang.org/x/exp/slices (/home/runner/go/pkg/mod/golang.org/x/[email protected][8](https://github.com/oauth2-proxy/oauth2-proxy/runs/6883863248?check_suite_focus=true#step:6:9)1184e0d/slices/slices.go:22:11: expected '(', found '['))) /home/runner/work/oauth2-proxy/oauth2-proxy/oauthproxy.go:39:2: could not import github.com/oauth2-proxy/oauth2-proxy/v7/providers (/home/runner/work/oauth2-proxy/oauth2-proxy/providers/azure.go:12:2: could not import golang.org/x/exp/slices (/home/runner/go/pkg/mod/golang.org/x/[email protected]/slices/slices.go:22:11: expected '(', found '[')) /home/runner/work/oauth2-proxy/oauth2-proxy/oauthproxy_test.go:787:15: testProvider.AllowedGroups undefined (type *TestProvider has no field or method AllowedGroups) /home/runner/work/oauth2-proxy/oauth2-proxy/oauthproxy_test.go:789:16: testProvider.AllowedGroups undefined (type *TestProvider has no field or method AllowedGroups)]]"

and

 > [linux/amd64->arm64 builder 6/6] RUN case linux/arm64 in          "linux/amd64")  GOARCH=amd64  ;;          "linux/arm64" | "linux/arm64/v8")  GOARCH=arm64  ;;          "linux/ppc64le")  GOARCH=ppc64le  ;;          "linux/arm/v6") GOARCH=arm GOARM=6  ;;     esac &&     printf "Building OAuth2 Proxy for arch ${GOARCH}\n" &&     GOARCH=${GOARCH} VERSION=ebed74a make build && touch jwt_signing_key.pem:
#0 0.197 CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-X main.VERSION=ebed74a" -o oauth2-proxy github.com/oauth2-proxy/oauth2-proxy/v7
#0 3.951 # golang.org/x/exp/constraints
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:13:2: syntax error: unexpected ~, expecting method or interface name
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:20:2: syntax error: unexpected ~, expecting method or interface name
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:27:9: syntax error: unexpected |, expecting semicolon or newline or }
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:34:2: syntax error: unexpected ~, expecting method or interface name
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:41:2: syntax error: unexpected ~, expecting method or interface name
#0 3.951 /go/pkg/mod/golang.org/x/[email protected]/constraints/constraints.go:49:10: syntax error: unexpected |, expecting semicolon or newline or }
#0 3.951 note: module requires Go 1.18
#26 130.2 make: *** [Makefile:40: oauth2-proxy] Error 2

@JoelSpeed mind taking a look at github ci workflow please? I suspect it needs to be updated to go 1.18 to be in sync with go.mod

I've updated CI workflow and builder base image from Dockerfile to go 1.18 too

@JoelSpeed @braunsonm kindly reminder

@JoelSpeed @aiciobanu @Niksko could you please take a look?

@JoelSpeed @braunsonm and @weinong can you review this PR?

@adriananeci could you please fix the conflicts?

could we get it into upstream? This is a very important feature for those using OAuth with AAD

@JoelSpeed please help this PR move forward! 🙏🏻 ❤️ 🥺 💝

@JoelSpeed please help this PR move forward! 🙏🏻 ❤️ 🥺 💝

Can we get an update on this? We are waiting to roll out a project that will require this. We need to know if this is coming or if we need to look for another project to replace this one. Any update on an estimated timeline of when this will be merged is more than enough.

Thanks for the time you put into this project!

Thank you @adriananeci for your effort!
@JoelSpeed could you please take a look?

@JoelSpeed thank you a lot for your review! ❤️
@adriananeci could you please follow up on that? 🚀 🙏🏻
I have a feeling that we are close! 😄

Thanks @adriananeci and @JoelSpeed, I am happy to see this effort come to an end! 🚀

Please add a changelog entry and I'll get this merged. We should probably include an important note about the changes here and what it means for azure users

Updated the changelog with changes and important notes.

How do I build a new package with tis included to use now until the next release is created?

I'm having a really hard time using Azure v2. Does anyone have some examples on how to use groups with azure v2 and how to use a query string in NGINX to set allowed_groups with auth_request?

I was getting the following warning: WARNING: 'groups' scope is not an accepted scope when using Azure OAuth V2 endpoint. Removing it from the scope list From what I can tell, there is nothing implemented to restrict access with groups on the main oauth2/auth login page. This isn't really an issue for us and in fact helps out a bit. Our plan is to set the enterprise app to a very large set of users (probably all users) and then use the allowed_groups querystring in NGINX to protect the individual webapps. Here is my config:

oauth environment variables (running a container with podman) https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#environment-variables

OAUTH2_PROXY_EMAIL_DOMAINS=example.com
OAUTH2_PROXY_PROVIDER=azure
OAUTH2_PROXY_CLIENT_ID=xxx
OAUTH2_PROXY_CLIENT_SECRET=xxx
OAUTH2_PROXY_AZURE_TRNANT=xxx
OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.microsoftonline.com/xxx/v2.0
OAUTH2_PROXY_COOKIE_SECRET=xxx
OAUTH2_PROXY_COOKIE_SECURE=true
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_UPSTREAM=https://xxx
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
OAUTH2_PROXY_WHITELIST_DOMAINS=xxx
OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://redis:6379
OAUTH2_PROXY_REDIS_PASSWORD=xxx
OAUTH2_PROXY_SESSION_STORE_TYPE=redis

Save the above to oauth2_proxy.cfg and when you start the container use --env-file /path/to/oauth2_proxy.cfg
If you want user/group info in the headers you can add OAUTH2_PROXY_SET_XAUTHREQUEST=true but you may run in to issues with large headers unless you comment the lines in the NGINX config to set the group headers.

NGINX config
Config for the querystring goes in /oauth2/auth location block. https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-nginx-auth_request-directive

    location = /oauth2/auth {
        proxy_pass       http://xxx:4180/oauth2/auth?allowed_groups=xxx;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
    }

To use the oauth2 signout endpoint I added the following location. If you don't you will get a browser error too many redirects. This can either be to the webapp's built in sign out URL or just the home page of the webapp. https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints#sign-out

    location = /oauth2/sign_out {
        proxy_pass       http://xxx:4180/oauth2/sign_out?rd=https%3A%2F%2Fxxx;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
    }

To add the email or username to the headers in the browser you can add add_header X-User $user; and add_header X-Email $email; in the / location block.
If you don't want group headers comment the following lines in the / location block.

        auth_request_set $groups   $upstream_http_x_auth_request_groups;
        add_header X-debug-message $groups;

With the config above we are able to protect more than one site with a single instance of oauth2-proxy.