go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-17 00:17:40 +02:00
Code Issues Releases Activity

Microsoft Entra ID provider (#2390)

Browse Source 
* Microsoft Entra ID Provider

* fix typo in function name

* documentation tweaks

* documentation and comment tweak

* docs tweaks

* final tweaks

* refactor: drop flag for skipping graph groups

* update legacy / deprecated provider page and sort provider overview

* reformat

* move entra-id provider into switch (treat like every other provider

* fix test case and reformat

* fix sidebar configuration

* apply review suggestions

* add pagination for graph api

* fix: do not error when groups unable to retrieve

* doc: number of groups fix

* restore master packages

* docs: tiny docs tweak

* address review comments

* fix codegen

---------

Co-authored-by: tuunit <jan@larwig.com>
This commit is contained in:
JJ Łakis
2024-12-31 12:46:13 +01:00
committed by GitHub
parent c64ec1251b
commit 5f188e5b6b
14 changed files with 617 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/docs/configuration/alpha_config.md
View File

@ -385,6 +385,16 @@ character.
| `default` | _[]string_ | _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
| `allow` | _[[]URLParameterRule](#urlparameterrule)_ | _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`. Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |
### MicrosoftEntraIDOptions
(**Appears on:** [Provider](#provider))
| Field | Type | Description |
| ----- | ---- | ----------- |
| `allowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
### OIDCOptions
(**Appears on:** [Provider](#provider))
@ -418,6 +428,7 @@ Provider holds all configuration for a single provider
| `clientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
| `keycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
| `azureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
| `microsoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
| `ADFSConfig` | _[ADFSOptions](#adfsoptions)_ | ADFSConfig holds all configurations for ADFS provider. |
| `bitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
| `githubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |

18
docs/docs/configuration/providers/azure_ad.md
View File

@ -1,18 +0,0 @@
---
id: azure_ad
title: Microsoft Azure AD
---
## Config Options
| Flag | Toml Field | Type | Description | Default |
| ---------------- | -------------- | ------ | ---------------------------------------------------------------- | ---------- |
| `--azure-tenant` | `azure_tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` |
| `--resource` | `resource` | string | The resource that is protected (Azure AD only) | |
## Usage
For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default
`common` authorization server with a tenant specific server.

4
docs/docs/configuration/providers/gitea.md
View File

@ -3,6 +3,10 @@ id: gitea
title: Gitea
---
:::note
This is not actually its own provider. For more details and options please refer to the [GitHub Provider Options](github.md)
:::
1. Create a new application: `https://< your gitea host >/user/settings/applications`
2. Under `Redirect URI` enter the correct URL i.e. `https://<proxied host>/oauth2/callback`
3. Note the Client ID and Client Secret.

27
docs/docs/configuration/providers/index.md
View File

@ -8,21 +8,22 @@ with Redirect URI(s) for the domain you intend to run `oauth2-proxy` on.
Valid providers are :
- [Google](google.md) _default_
- [Azure](azure.md)
- [ADFS](adfs.md)
- [Facebook](facebook.md)
- [GitHub](github.md)
- [Gitea](gitea.md)
- [Keycloak](keycloak.md)/[Keycloak OIDC](keycloak_oidc.md)
- [GitLab](gitlab.md)
- [LinkedIn](linkedin.md)
- [Microsoft Azure AD](azure_ad.md)
- [OpenID Connect](openid_connect.md)
- [login.gov](login_gov.md)
- [Nextcloud](nextcloud.md)
- [DigitalOcean](digitalocean.md)
- [Bitbucket](bitbucket.md)
- [DigitalOcean](digitalocean.md)
- [Facebook](facebook.md)
- [Gitea](gitea.md)
- [GitHub](github.md)
- [GitLab](gitlab.md)
- [Google](google.md) _default_
- [Keycloak](keycloak.md) (Deprecated)
- [Keycloak OIDC](keycloak_oidc.md)
- [LinkedIn](linkedin.md)
- [login.gov](login_gov.md)
- [Microsoft Azure](ms_azure_ad.md) (Deprecated)
- [Microsoft Entra ID](ms_entra_id.md)
- [Nextcloud](nextcloud.md)
- [OpenID Connect](openid_connect.md)
The provider can be selected using the `provider` configuration value.

4
docs/docs/configuration/providers/keycloak.md
View File

@ -1,10 +1,10 @@
---
id: keycloak
title: Keycloak
title: Keycloak (Deprecated)
---
:::note
This is the legacy provider for Keycloak, use [Keycloak OIDC Auth Provider](keycloak_oidc.md) if possible.
This is the legacy and deprecated provider for Keycloak, use [Keycloak OIDC Auth Provider](keycloak_oidc.md) if possible.
:::
1. Create new client in your Keycloak realm with **Access Type** 'confidential' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback'

6
docs/docs/configuration/providers/azure.md → docs/docs/configuration/providers/ms_azure_ad.md
View File

@ -1,8 +1,12 @@
---
id: azure
title: Azure
title: Azure (Deprecated)
---
:::note
This is the legacy and deprecated provider for Azure, use [Microsoft Entra ID](ms_entra_id.md) if possible.
:::
## Config Options
| Flag | Toml Field | Type | Description | Default |

158
docs/docs/configuration/providers/ms_entra_id.md Normal file
View File

@ -0,0 +1,158 @@
---
id: ms_entra_id
title: Microsoft Entra ID
---
Provider for Microsoft Entra ID. Fully compliant with OIDC, with support for group overage and multi-tenant apps.
## Config Options
The provider is OIDC-compliant, so all the OIDC parameters are honored. Additional provider-specific configuration parameters are:
| Flag | Toml Field | Type | Description | Default |
| --------------------------- | -------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `--entra-id-allowed-tenant` | `entra_id_allowed_tenants` | string \| list | List of allowed tenants. In case of multi-tenant apps, incoming tokens are issued by different issuers and OIDC issuer verification needs to be disabled. When not specified, all tenants are allowed. Redundant for single-tenant apps (regular ID token validation matches the issuer). | |
## Configure App registration
To begin, create an App registration, set a redirect URI, and generate a secret. All account types are supported, including single-tenant, multi-tenant, multi-tenant with Microsoft accounts, and Microsoft accounts only.
<details>
<summary>See Azure Portal example</summary>
<div class="videoBlock">
<iframe src="https://www.youtube.com/embed/IUNfxhOzr4E"></iframe>
</div>
</details>
<details>
<summary>See Terraform example</summary>
```
resource "azuread_application" "auth" {
display_name = "oauth2-proxy"
sign_in_audience = "AzureADMyOrg" # Others are also supported
web {
redirect_uris = [
"https://podinfo.lakis.tech/oauth2/callback",
]
}
// We don't specify any required API permissions - we allow user consent only
}
resource "azuread_service_principal" "sp" {
client_id = azuread_application.auth.client_id
app_role_assignment_required = false
}
resource "azuread_service_principal_password" "pass" {
service_principal_id = azuread_service_principal.sp.id
}
```
</details>
### Configure groups
If you want to make use of groups, you can configure *groups claim* to be present in ID Tokens issued by the App registration.
<details>
<summary>See Azure Portal example</summary>
<div class="videoBlock">
<div class="videoBlock">
<iframe src="https://www.youtube.com/embed/QZmP5MKEJis"></iframe>
</div>
</div>
</details>
<details>
<summary>See Terraform example</summary>
```
resource "azuread_application" "auth" {
display_name = "oauth2-proxy"
sign_in_audience = "AzureADMyOrg"
group_membership_claims = [
"SecurityGroup"
]
web {
redirect_uris = [
"https://podinfo.lakis.tech/oauth2/callback",
]
}
}
resource "azuread_service_principal" "sp" {
client_id = azuread_application.auth.client_id
app_role_assignment_required = false
}
resource "azuread_service_principal_password" "pass" {
service_principal_id = azuread_service_principal.sp.id
}
```
</details>
### Scopes and claims
For single-tenant and multi-tenant apps without groups, the only required scope is `openid` (See: [Scopes and permissions](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-openid-scope)).
To make use of groups - for example use `allowed_groups` setting or authorize based on groups inside your service - you need to enable *groups claims* in the App Registration. When enabled, list of groups is present in the issued ID token. No additional scopes are required besides `openid`. This works up to 200 groups.
When user has more than 200 group memberships, OAuth2-Proxy attempts to retrieve the complete list from Microsoft Graph API's [`transitiveMemberOf`](https://learn.microsoft.com/en-us/graph/api/user-list-transitivememberof). Endpoint requires `User.Read` scope (delegated permission). This permission can be by default consented by user during first login. Set scope to `openid User.Read` to request user consent. Without proper scope, user with 200+ groups will authenticate with 0 groups. See: [group overages](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages).
Alternatively to user consent, both `openid` and `User.Read` permissions can be consented by admistrator. Then, user is not asked for consent on the first login, and group overage works with `openid` scope only. Admin consent can also be required for some tenants. It can be granted with [azuread_service_principal_delegated_permission_grant](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_delegated_permission_grant) terraform resource.
For personal microsoft accounts, required scope is `openid profile email`.
See: [Overview of permissions and consent in the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview).
### Multi-tenant apps
To authenticate apps from multiple tenants (including personal Microsoft accounts), set the common OIDC issuer url and disable verification:
```toml
oidc_issuer_url=https://login.microsoftonline.com/common/v2.0
insecure_oidc_skip_issuer_verification=true
```
`insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
* Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
### Example configurations
Single-tenant app without groups (*groups claim* not enabled). Consider using generic OIDC provider:
```toml
provider="entra-id"
oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
client_id="<client-id>"
client_secret="<client-secret>"
scope="openid"
```
Single-tenant app with up to 200 groups (*groups claim* enabled). Consider using generic OIDC provider:
```toml
provider="entra-id"
oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
client_id="<client-id>"
client_secret="<client-secret>"
scope="openid"
allowed_groups=["ac51800c-2679-4ecb-8130-636380a3b491"]
```
Single-tenant app with more than 200 groups:
```toml
provider="entra-id"
oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
client_id="<client-id>"
client_secret="<client-secret>"
scope="openid User.Read"
allowed_groups=["968b4844-d5e7-4e18-a834-59927959369f"]
```
Multi-tenant app with Microsoft personal accounts & one Entra tenant allowed, with group overage considered:
```toml
provider="entra-id"
oidc_issuer_url="https://login.microsoftonline.com/common/v2.0"
client_id="<client-id>"
client_secret="<client-secret>"
insecure_oidc_skip_issuer_verification=true
scope="openid profile email User.Read"
entra_id_allowed_tenant=["9188040d-6c67-4c5b-b112-36a304b66dad","<my-tenant-id>"] # Allow only <my-tenant-id> and Personal MS Accounts tenant
email_domains="*"
```

32
docs/sidebars.js
View File

@ -31,22 +31,22 @@ const sidebars = {
id: 'configuration/providers/index',
},
items: [
'configuration/providers/google',
'configuration/providers/azure',
'configuration/providers/adfs',
'configuration/providers/facebook',
'configuration/providers/github',
'configuration/providers/gitea',
'configuration/providers/keycloak',
'configuration/providers/keycloak_oidc',
'configuration/providers/gitlab',
'configuration/providers/linkedin',
'configuration/providers/azure_ad',
'configuration/providers/openid_connect',
'configuration/providers/login_gov',
'configuration/providers/nextcloud',
'configuration/providers/digitalocean',
'configuration/providers/bitbucket',
"configuration/providers/adfs",
"configuration/providers/azure",
"configuration/providers/bitbucket",
"configuration/providers/digitalocean",
"configuration/providers/facebook",
"configuration/providers/gitea",
"configuration/providers/github",
"configuration/providers/gitlab",
"configuration/providers/google",
"configuration/providers/keycloak",
"configuration/providers/keycloak_oidc",
"configuration/providers/linkedin",
"configuration/providers/login_gov",
"configuration/providers/ms_entra_id",
"configuration/providers/nextcloud",
"configuration/providers/openid_connect",
],
},
'configuration/session_storage',

14
docs/src/css/custom.css
View File

@ -23,3 +23,17 @@
margin: 0 calc(-1 * var(--ifm-pre-padding));
padding: 0 var(--ifm-pre-padding);
}
.videoBlock {
position: relative;
padding-bottom: 75%;
height: 0;
}
.videoBlock iframe {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
}

6
pkg/apis/options/legacy_options.go
View File

@ -488,6 +488,7 @@ type LegacyProvider struct {
KeycloakGroups []string `flag:"keycloak-group" cfg:"keycloak_groups"`
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
AzureGraphGroupField string `flag:"azure-graph-group-field" cfg:"azure_graph_group_field"`
EntraIDAllowedTenants []string `flag:"entra-id-allowed-tenant" cfg:"entra_id_allowed_tenants"`
BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"`
BitbucketRepository string `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
GitHubOrg string `flag:"github-org" cfg:"github_org"`
@ -550,6 +551,7 @@ func legacyProviderFlagSet() *pflag.FlagSet {
flagSet.StringSlice("keycloak-group", []string{}, "restrict logins to members of these groups (may be given multiple times)")
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
flagSet.String("azure-graph-group-field", "", "configures the group field to be used when building the groups list(`id` or `displayName`. Default is `id`) from Microsoft Graph(available only for v2.0 oidc url). Based on this value, the `allowed-group` config values should be adjusted accordingly. If using `id` as group field, `allowed-group` should contains groups IDs, if using `displayName` as group field, `allowed-group` should contains groups name")
flagSet.StringSlice("entra-id-allowed-tenant", []string{}, "list of tenants allowed for MS Entra ID multi-tenant application")
flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
flagSet.String("github-org", "", "restrict logins to members of this organisation")
@ -756,6 +758,10 @@ func (l *LegacyProvider) convert() (Providers, error) {
UseApplicationDefaultCredentials: l.GoogleUseApplicationDefaultCredentials,
TargetPrincipal: l.GoogleTargetPrincipal,
}
case "entra-id":
provider.MicrosoftEntraIDConfig = MicrosoftEntraIDOptions{
AllowedTenants: l.EntraIDAllowedTenants,
}
}
if l.ProviderName != "" {

13
pkg/apis/options/providers.go
View File

@ -30,6 +30,8 @@ type Provider struct {
KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
// AzureConfig holds all configurations for Azure provider.
AzureConfig AzureOptions `json:"azureConfig,omitempty"`
// MicrosoftEntraIDConfig holds all configurations for Entra ID provider.
MicrosoftEntraIDConfig MicrosoftEntraIDOptions `json:"microsoftEntraIDConfig,omitempty"`
// ADFSConfig holds all configurations for ADFS provider.
ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
// BitbucketConfig holds all configurations for Bitbucket provider.
@ -101,6 +103,9 @@ const (
// AzureProvider is the provider type for Azure
AzureProvider ProviderType = "azure"
// MicrosoftEntraIDProvider is the provider type for Entra OIDC
MicrosoftEntraIDProvider ProviderType = "entra-id"
// BitbucketProvider is the provider type for Bitbucket
BitbucketProvider ProviderType = "bitbucket"
@ -155,6 +160,14 @@ type AzureOptions struct {
GraphGroupField string `json:"graphGroupField,omitempty"`
}
type MicrosoftEntraIDOptions struct {
// AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are
// issued by different issuers and OIDC issuer verification needs to be disabled.
// When not specified, all tenants are allowed. Redundant for single-tenant apps
// (regular ID token validation matches the issuer).
AllowedTenants []string `json:"allowedTenants,omitempty"`
}
type ADFSOptions struct {
// Skip adding the scope parameter in login request
// Default value is 'false'

186
providers/ms_entra_id.go Normal file
View File

@ -0,0 +1,186 @@
package providers
import (
"context"
"fmt"
"net/url"
"regexp"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
"github.com/spf13/cast"
)
// MicrosoftEntraIDProvider represents provider for Azure Entra Authentication V2 endpoint
type MicrosoftEntraIDProvider struct {
*OIDCProvider
multiTenantAllowedTenants []string
microsoftGraphURL *url.URL
}
const (
microsoftEntraIDProviderName = "Microsoft Entra ID"
)
var (
microsoftGraphURL = &url.URL{
Scheme: "https",
Host: "graph.microsoft.com",
Path: "/v1.0/me",
}
)
// NewMicrosoftEntraIDProvider initiates a new MicrosoftEntraIDProvider
func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *MicrosoftEntraIDProvider {
p.setProviderDefaults(providerDefaults{
name: microsoftEntraIDProviderName,
})
return &MicrosoftEntraIDProvider{
OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedTenants,
microsoftGraphURL: microsoftGraphURL,
}
}
// EnrichSession checks for group overage after calling generic EnrichSession
func (p *MicrosoftEntraIDProvider) EnrichSession(ctx context.Context, session *sessions.SessionState) error {
if err := p.OIDCProvider.EnrichSession(ctx, session); err != nil {
return fmt.Errorf("unable to enrich session: %v", err)
}
hasGroupOverage, err := p.checkGroupOverage(session)
if err != nil {
return fmt.Errorf("unable to check token: %v", err)
}
if hasGroupOverage {
logger.Printf("entra overage found, reading groups from Graph API")
if err = p.addGraphGroupsToSession(ctx, session); err != nil {
return fmt.Errorf("unable to enrich session: %v", err)
}
}
return nil
}
// ValidateSession checks for allowed tenants (e.g. for multi-tenant apps) and passes through to generic ValidateSession
func (p *MicrosoftEntraIDProvider) ValidateSession(ctx context.Context, session *sessions.SessionState) bool {
tenant, err := p.getTenantFromToken(session)
if err != nil {
logger.Errorf("unable to retrieve entra tenant from token: %v", err)
return false
}
if len(p.multiTenantAllowedTenants) > 0 {
tenantAllowed := p.checkTenantMatchesTenantList(tenant, p.multiTenantAllowedTenants)
if !tenantAllowed {
logger.Printf("entra: tenant %s is not specified in the list of allowed tenants", tenant)
return false
}
logger.Printf("entra: tenant %s is allowed", tenant)
}
return p.OIDCProvider.ValidateSession(ctx, session)
}
// checkGroupOverage checks ID token's group membership claims for the group overage
func (p *MicrosoftEntraIDProvider) checkGroupOverage(session *sessions.SessionState) (bool, error) {
extractor, err := p.getClaimExtractor(session.IDToken, session.AccessToken)
if err != nil {
return false, fmt.Errorf("unable to get claim extractor: %v", err)
}
claimNames, _, _ := extractor.GetClaim("_claim_names")
var claimNamesMap map[string]string
if claimNames != nil {
claimNamesMap = cast.ToStringMapString(claimNames)
}
if _, groupsKeyPresent := claimNamesMap["groups"]; groupsKeyPresent {
return true, nil
}
return false, nil
}
func (p *MicrosoftEntraIDProvider) addGraphGroupsToSession(ctx context.Context, s *sessions.SessionState) error {
groupsHeaders := makeAuthorizationHeader(tokenTypeBearer, s.AccessToken, nil)
groupsHeaders.Add("ConsistencyLevel", "eventual")
var allGroups []string
var nextLink string
for {
if nextLink == "" {
nextLink = fmt.Sprintf("%s/transitiveMemberOf?$select=id&$top=100", p.microsoftGraphURL)
}
response, err := requests.New(nextLink).
WithContext(ctx).
WithHeaders(groupsHeaders).
Do().
UnmarshalSimpleJSON()
if err != nil {
logger.Errorf("invalid response from microsoft graph, no groups added to session: %v", err)
return nil
}
reqGroups := response.Get("value").MustArray()
for i := range reqGroups {
value := response.Get("value").GetIndex(i).Get("id").MustString()
allGroups = append(allGroups, value)
}
// https://learn.microsoft.com/en-us/graph/paging?view=graph-rest-1.0&tabs=http#how-paging-works
nextLink = response.Get("@odata.nextLink").MustString()
if nextLink == "" {
break
}
}
s.Groups = util.RemoveDuplicateStr(append(s.Groups, allGroups...))
return nil
}
func (p *MicrosoftEntraIDProvider) getTenantFromToken(session *sessions.SessionState) (string, error) {
extractor, err := p.getClaimExtractor(session.IDToken, session.AccessToken)
if err != nil {
return "", fmt.Errorf("unable to get claim extractor: %v", err)
}
value, exists, err := extractor.GetClaim("iss")
if !exists || err != nil {
return "", fmt.Errorf("iss claim does not exist in the token")
}
pattern := `^https://login\.microsoftonline\.com/([a-zA-Z0-9-]+)/v2\.0$`
re := regexp.MustCompile(pattern)
matches := re.FindStringSubmatch(value.(string))
if len(matches) > 1 {
return matches[1], nil
}
return "", fmt.Errorf("invalid issuer in the ID token")
}
func (p *MicrosoftEntraIDProvider) checkTenantMatchesTenantList(tenant string, allowedTenantList []string) bool {
for _, allowedTenant := range allowedTenantList {
if tenant == allowedTenant {
return true
}
}
return false
}

185
providers/ms_entra_id_test.go Normal file
View File

@ -0,0 +1,185 @@
package providers
import (
"context"
"crypto/rand"
"crypto/rsa"
"fmt"
"net/http"
"net/http/httptest"
"net/url"
"testing"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/golang-jwt/jwt/v5"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
"github.com/stretchr/testify/assert"
. "github.com/onsi/gomega"
)
func TestAzureEntraOIDCProviderNewMultiTenant(t *testing.T) {
g := NewWithT(t)
provider := NewMicrosoftEntraIDProvider(&ProviderData{},
options.Provider{OIDCConfig: options.OIDCOptions{
IssuerURL: "https://login.microsoftonline.com/common/v2.0",
InsecureSkipIssuerVerification: true,
}},
)
g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
}
func TestAzureEntraOIDCProviderNewSingleTenant(t *testing.T) {
g := NewWithT(t)
provider := NewMicrosoftEntraIDProvider(&ProviderData{},
options.Provider{OIDCConfig: options.OIDCOptions{
IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
}},
)
g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
}
func TestAzureEntraOIDCProviderEnrichSessionGroupOverage(t *testing.T) {
// Create ID Token that indicates group overage with _claim_names
key, _ := rsa.GenerateKey(rand.Reader, 2048)
claimsWithGroupOverage := &claimsWithGroupOverage{
jwt.RegisteredClaims{
Issuer: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
},
map[string]string{"groups": "src1"},
}
jwtWithClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithGroupOverage)
signedJWT, err := jwtWithClaims.SignedString(key)
assert.NoError(t, err)
session := CreateAuthorizedSession()
session.IDToken = signedJWT
session.Email = "mock@example.com"
// Create provider
provider := NewMicrosoftEntraIDProvider(&ProviderData{},
options.Provider{OIDCConfig: options.OIDCOptions{
IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
}},
)
// Create mocked Azure Graph server and override Graph URL
mockedGraph := mockGraphAPI(false)
mockedGraphURL, _ := url.Parse(mockedGraph.URL)
updateURL(provider.microsoftGraphURL, mockedGraphURL.Host)
// Test EnrichSession
err = provider.EnrichSession(context.Background(), session)
assert.NoError(t, err)
assert.Contains(t, session.Groups, "85d7d600-7804-4d92-8d43-9c33c21c130c")
assert.Contains(t, session.Groups, "916f0604-8a3b-4a69-bda9-06db11a8f0cd")
assert.Contains(t, session.Groups, "b1aef995-6b55-4ac6-bbfe-e829810e9352", "Pagination using $skiptoken failed")
}
func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {
// Create multi-tenant Azure Entra provider with allowed tenants
provider := NewMicrosoftEntraIDProvider(
&ProviderData{
Verifier: &mockedVerifier{},
},
options.Provider{
OIDCConfig: options.OIDCOptions{
IssuerURL: "https://login.microsoftonline.com/common/v2.0",
InsecureSkipIssuerVerification: true,
InsecureSkipNonce: true,
},
MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{
AllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
},
},
)
// Check for invalid tenant
key, _ := rsa.GenerateKey(rand.Reader, 2048)
idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
Issuer: "https://login.microsoftonline.com/invalid_tenant/v2.0",
})
invalidJWT, err := idToken.SignedString(key)
assert.NoError(t, err)
session := CreateAuthorizedSession()
session.IDToken = invalidJWT
valid := provider.ValidateSession(context.Background(), session)
assert.False(t, valid)
// Check for valid tenant
idToken = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
Issuer: "https://login.microsoftonline.com/85d7d600-7804-4d92-8d43-9c33c21c130c/v2.0",
})
validJWT, err := idToken.SignedString(key)
assert.NoError(t, err)
session = CreateAuthorizedSession()
session.IDToken = validJWT
valid = provider.ValidateSession(context.Background(), session)
assert.True(t, valid)
}
func mockGraphAPI(noGroupMemberPermissions bool) *httptest.Server {
groupsPath := "/v1.0/me/transitiveMemberOf"
return httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
if noGroupMemberPermissions {
w.WriteHeader(401)
} else if r.URL.Path == groupsPath && r.Method == http.MethodGet && len(r.URL.Query()["$skiptoken"]) > 0 {
// Second page (pagination)
w.Write([]byte(`{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "b1aef995-6b55-4ac6-bbfe-e829810e9352"
}
]
}`))
} else if r.URL.Path == groupsPath && r.Method == http.MethodGet {
// First page (pagination)
w.Write([]byte(fmt.Sprintf(`{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
"@odata.nextLink": "http://%s/v1.0/me/transitiveMemberOf?$select=id&$top=2&$skiptoken=TEST_TOKEN",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "85d7d600-7804-4d92-8d43-9c33c21c130c"
},
{
"@odata.type": "#microsoft.graph.group",
"id": "916f0604-8a3b-4a69-bda9-06db11a8f0cd"
}
]
}`, r.Host)))
}
},
))
}
type claimsWithGroupOverage struct {
jwt.RegisteredClaims
ClaimNames interface{} `json:"_claim_names,omitempty"`
}
func (c *claimsWithGroupOverage) Valid() error {
return nil
}
type mockedVerifier struct {
}
func (v *mockedVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
return nil, nil
}

4
providers/providers.go
View File

@ -41,6 +41,8 @@ func NewProvider(providerConfig options.Provider) (Provider, error) {
return NewADFSProvider(providerData, providerConfig), nil
case options.AzureProvider:
return NewAzureProvider(providerData, providerConfig.AzureConfig), nil
case options.MicrosoftEntraIDProvider:
return NewMicrosoftEntraIDProvider(providerData, providerConfig), nil
case options.BitbucketProvider:
return NewBitbucketProvider(providerData, providerConfig.BitbucketConfig), nil
case options.DigitalOceanProvider:
@ -181,7 +183,7 @@ func providerRequiresOIDCProviderVerifier(providerType options.ProviderType) (bo
case options.BitbucketProvider, options.DigitalOceanProvider, options.FacebookProvider, options.GitHubProvider,
options.GoogleProvider, options.KeycloakProvider, options.LinkedInProvider, options.LoginGovProvider, options.NextCloudProvider:
return false, nil
case options.ADFSProvider, options.AzureProvider, options.GitLabProvider, options.KeycloakOIDCProvider, options.OIDCProvider:
case options.ADFSProvider, options.AzureProvider, options.GitLabProvider, options.KeycloakOIDCProvider, options.OIDCProvider, options.MicrosoftEntraIDProvider:
return true, nil
default:
return false, fmt.Errorf("unknown provider type: %s", providerType)