Description

It is possible in azure to configure an optional claim such as groups. In this case there is no need to make a request to Microsoft Graph api to obtain groups. Instead azure will send the configured groups as a part of oidc ticket directly. This is usefull when it is not possible to obtain GroupMember.Read.All permissions for the application, for example
for a large org where additional permissions are not desirable.

Here we provide a new flag --azure-groups-in-ticket, which does exactly this. When the flag is set the request to the Graph api is not done and instead the groups are taken from the session directly.

Motivation and Context

In the large org it is not always possible to obtain admin consent for GroupMember.Read.All entra id api permission.
However, there is already a possibility to get groups in the azure oidc ticket without any additional api permissions.

How Has This Been Tested?

It is tested locally with a test entra tenant. Unit tests are provided.

In addition, in the current master the test TestAzureProviderEnrichSession is broken,
as the branch, which tests that the groups are fetched from the graph api is never executed.

(This can be easily verified by inserting panic into testAzureBackendWithError into the
first if branch)

This is also fixed in this PR. Now the test also correctly tests fetch from the graph api.

To run the test just execute go test -v -run TestAzureProviderEnrichSession

All the test suite in the providers package run without failures.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.
• I have written tests for my code changes.