From b2754fd822ecc17854bba3f3150691532ef5f857 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Fri, 5 Jul 2019 18:10:10 -0400 Subject: [PATCH] internal/identity: fix bug in azure preventing group retrieval --- CHANGELOG.md | 1 + authenticate/handlers.go | 1 - docs/docs/identity-providers.md | 2 +- internal/identity/microsoft.go | 12 ++++++------ 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4e1bc03d..47ffe7adb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ ### FIXED - Fixed HEADERS environment variable parsing [GH-188] +- Fixed Azure group lookups [GH-190] ## v0.0.5 diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 0e9cb7ade..f4caced55 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -304,7 +304,6 @@ func (a *Authenticate) ExchangeToken(w http.ResponseWriter, r *http.Request) { httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "could not exchange identity for session"}) return } - log.Info().Interface("session", session).Msg("Session") if err := a.restStore.SaveSession(w, r, session); err != nil { log.Error().Err(err).Msg("authenticate: failed returning new session") httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "authenticate: failed returning new session"}) diff --git a/docs/docs/identity-providers.md b/docs/docs/identity-providers.md index 662dfeb6f..d2cb4d7e3 100644 --- a/docs/docs/identity-providers.md +++ b/docs/docs/identity-providers.md @@ -75,7 +75,7 @@ Next you need to ensure that the Pomerium's Redirect URL is listed in allowed re Next, in order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations). -On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Directory.Read.All**. +On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Group.Read.All**. ![Azure add group membership claims](./microsoft/azure-api-settings.png) diff --git a/internal/identity/microsoft.go b/internal/identity/microsoft.go index 615e25981..5e57812e4 100644 --- a/internal/identity/microsoft.go +++ b/internal/identity/microsoft.go @@ -43,7 +43,7 @@ func NewAzureProvider(p *Provider) (*AzureProvider, error) { return nil, err } if len(p.Scopes) == 0 { - p.Scopes = []string{oidc.ScopeOpenID, "profile", "email", "offline_access"} + p.Scopes = []string{oidc.ScopeOpenID, "profile", "email", "offline_access", "Group.Read.All"} } p.verifier = p.provider.Verifier(&oidc.Config{ClientID: p.ClientID}) p.oauth = &oauth2.Config{ @@ -91,8 +91,13 @@ func (p *AzureProvider) Authenticate(ctx context.Context, code string) (*session if err != nil { return nil, fmt.Errorf("identity/microsoft: could not verify id_token %v", err) } + session.AccessToken = oauth2Token.AccessToken session.RefreshToken = oauth2Token.RefreshToken + session.Groups, err = p.UserGroups(ctx, session.AccessToken) + if err != nil { + return nil, fmt.Errorf("identity/microsoft: could not retrieve groups %v", err) + } return session, nil } @@ -112,17 +117,12 @@ func (p *AzureProvider) IDTokenToSession(ctx context.Context, rawIDToken string) if err := idToken.Claims(&claims); err != nil { return nil, fmt.Errorf("identity/microsoft: failed to parse id_token claims %v", err) } - groups, err := p.UserGroups(ctx, claims.Email) - if err != nil { - return nil, fmt.Errorf("identity/microsoft: could not retrieve groups %v", err) - } return &sessions.SessionState{ IDToken: rawIDToken, RefreshDeadline: idToken.Expiry.Truncate(time.Second), Email: claims.Email, User: idToken.Subject, - Groups: groups, }, nil }