diff --git a/CHANGELOG.md b/CHANGELOG.md index e4e1bc03d..47ffe7adb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ ### FIXED - Fixed HEADERS environment variable parsing [GH-188] +- Fixed Azure group lookups [GH-190] ## v0.0.5 diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 0e9cb7ade..f4caced55 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -304,7 +304,6 @@ func (a *Authenticate) ExchangeToken(w http.ResponseWriter, r *http.Request) { httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "could not exchange identity for session"}) return } - log.Info().Interface("session", session).Msg("Session") if err := a.restStore.SaveSession(w, r, session); err != nil { log.Error().Err(err).Msg("authenticate: failed returning new session") httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "authenticate: failed returning new session"}) diff --git a/docs/docs/identity-providers.md b/docs/docs/identity-providers.md index 662dfeb6f..d2cb4d7e3 100644 --- a/docs/docs/identity-providers.md +++ b/docs/docs/identity-providers.md @@ -75,7 +75,7 @@ Next you need to ensure that the Pomerium's Redirect URL is listed in allowed re Next, in order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations). -On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Directory.Read.All**. +On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Group.Read.All**. ![Azure add group membership claims](./microsoft/azure-api-settings.png) diff --git a/internal/identity/microsoft.go b/internal/identity/microsoft.go index 615e25981..5e57812e4 100644 --- a/internal/identity/microsoft.go +++ b/internal/identity/microsoft.go @@ -43,7 +43,7 @@ func NewAzureProvider(p *Provider) (*AzureProvider, error) { return nil, err } if len(p.Scopes) == 0 { - p.Scopes = []string{oidc.ScopeOpenID, "profile", "email", "offline_access"} + p.Scopes = []string{oidc.ScopeOpenID, "profile", "email", "offline_access", "Group.Read.All"} } p.verifier = p.provider.Verifier(&oidc.Config{ClientID: p.ClientID}) p.oauth = &oauth2.Config{ @@ -91,8 +91,13 @@ func (p *AzureProvider) Authenticate(ctx context.Context, code string) (*session if err != nil { return nil, fmt.Errorf("identity/microsoft: could not verify id_token %v", err) } + session.AccessToken = oauth2Token.AccessToken session.RefreshToken = oauth2Token.RefreshToken + session.Groups, err = p.UserGroups(ctx, session.AccessToken) + if err != nil { + return nil, fmt.Errorf("identity/microsoft: could not retrieve groups %v", err) + } return session, nil } @@ -112,17 +117,12 @@ func (p *AzureProvider) IDTokenToSession(ctx context.Context, rawIDToken string) if err := idToken.Claims(&claims); err != nil { return nil, fmt.Errorf("identity/microsoft: failed to parse id_token claims %v", err) } - groups, err := p.UserGroups(ctx, claims.Email) - if err != nil { - return nil, fmt.Errorf("identity/microsoft: could not retrieve groups %v", err) - } return &sessions.SessionState{ IDToken: rawIDToken, RefreshDeadline: idToken.Expiry.Truncate(time.Second), Email: claims.Email, User: idToken.Subject, - Groups: groups, }, nil }