mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-06 22:06:03 +02:00
91 lines
3 KiB
Go
91 lines
3 KiB
Go
// Package azure implements OpenID Connect for Microsoft Azure
|
|
//
|
|
// https://www.pomerium.io/docs/identity-providers/azure.html
|
|
package azure
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/identity/oauth"
|
|
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
|
"github.com/pomerium/pomerium/internal/log"
|
|
"github.com/pomerium/pomerium/internal/version"
|
|
)
|
|
|
|
// Name identifies the Azure identity provider
|
|
const Name = "azure"
|
|
|
|
// defaultProviderURL Users with both a personal Microsoft
|
|
// account and a work or school account from Azure Active Directory (Azure AD)
|
|
// an sign in to the application.
|
|
const defaultProviderURL = "https://login.microsoftonline.com/common"
|
|
const defaultGroupURL = "https://graph.microsoft.com/v1.0/me/memberOf"
|
|
|
|
// Provider is an Azure implementation of the Authenticator interface.
|
|
type Provider struct {
|
|
*pom_oidc.Provider
|
|
}
|
|
|
|
// New instantiates an OpenID Connect (OIDC) provider for Azure.
|
|
func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
|
|
var p Provider
|
|
var err error
|
|
if o.ProviderURL == "" {
|
|
o.ProviderURL = defaultProviderURL
|
|
}
|
|
genericOidc, err := pom_oidc.New(ctx, o)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%s: failed creating oidc provider: %w", Name, err)
|
|
}
|
|
p.Provider = genericOidc
|
|
p.UserGroupFn = p.UserGroups
|
|
return &p, nil
|
|
}
|
|
|
|
// GetSignInURL returns the sign in url with typical oauth parameters
|
|
// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
|
|
func (p *Provider) GetSignInURL(state string) string {
|
|
return p.Oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "select_account"))
|
|
}
|
|
|
|
// UserGroups returns a slice of group names a given user is in.
|
|
// `Directory.Read.All` is required.
|
|
// https://docs.microsoft.com/en-us/graph/api/resources/directoryobject?view=graph-rest-1.0
|
|
// https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0
|
|
func (p *Provider) UserGroups(ctx context.Context, t *oauth2.Token, v interface{}) error {
|
|
var response struct {
|
|
Groups []struct {
|
|
ID string `json:"id"`
|
|
Description string `json:"description,omitempty"`
|
|
DisplayName string `json:"displayName"`
|
|
CreatedDateTime time.Time `json:"createdDateTime,omitempty"`
|
|
GroupTypes []string `json:"groupTypes,omitempty"`
|
|
} `json:"value"`
|
|
}
|
|
headers := map[string]string{"Authorization": fmt.Sprintf("Bearer %s", t.AccessToken)}
|
|
err := httputil.Client(ctx, http.MethodGet, defaultGroupURL, version.UserAgent(), headers, nil, &response)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
log.Debug().Interface("response", response).Msg("microsoft: groups")
|
|
var out struct {
|
|
Groups []string `json:"groups"`
|
|
}
|
|
for _, group := range response.Groups {
|
|
out.Groups = append(out.Groups, group.ID)
|
|
}
|
|
b, err := json.Marshal(out)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return json.Unmarshal(b, v)
|
|
}
|