From 66bfd8ebd57d6ef7d51d2e1ecbf0d3a1091c7308 Mon Sep 17 00:00:00 2001 From: Markus Blaschke Date: Wed, 1 Nov 2023 11:12:34 +0100 Subject: [PATCH] add azure china support (#2269) * add azure china support Signed-off-by: Markus Blaschke * update changelog Signed-off-by: Markus Blaschke * fix lint Signed-off-by: Markus Blaschke --------- Signed-off-by: Markus Blaschke Co-authored-by: Joel Speed --- CHANGELOG.md | 4 +++- providers/azure.go | 15 ++++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31e5b55e..b7bdc8de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,13 +8,15 @@ ## Changes since v7.5.1 +- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) +- [#2269](https://github.com/oauth2-proxy/oauth2-proxy/pull/2269) Added Azure China (and other air gaped cloud) support (@mblaschke) - [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen) - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) - [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option - [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs) -- + # V7.5.1 ## Release Highlights diff --git a/providers/azure.go b/providers/azure.go index a3e80f3f..5ae68d93 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -12,6 +12,7 @@ import ( "golang.org/x/exp/slices" "github.com/bitly/go-simplejson" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" @@ -33,7 +34,6 @@ const ( azureProviderName = "Azure" azureDefaultScope = "openid" azureDefaultGraphGroupField = "id" - azureV2Scope = "https://graph.microsoft.com/.default" ) var ( @@ -90,15 +90,16 @@ func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider isV2Endpoint := false if strings.Contains(p.LoginURL.String(), "v2.0") { isV2Endpoint = true + azureV2GraphScope := fmt.Sprintf("https://%s/.default", p.ProfileURL.Host) if strings.Contains(p.Scope, " groups") { logger.Print("WARNING: `groups` scope is not an accepted scope when using Azure OAuth V2 endpoint. Removing it from the scope list") p.Scope = strings.ReplaceAll(p.Scope, " groups", "") } - if !strings.Contains(p.Scope, " "+azureV2Scope) { + if !strings.Contains(p.Scope, " "+azureV2GraphScope) { // In order to be able to query MS Graph we must pass the ms graph default endpoint - p.Scope += " " + azureV2Scope + p.Scope += " " + azureV2GraphScope } if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { @@ -118,12 +119,12 @@ func overrideTenantURL(current, defaultURL *url.URL, tenant, path string) { if current == nil || current.String() == "" || current.String() == defaultURL.String() { *current = url.URL{ Scheme: "https", - Host: "login.microsoftonline.com", + Host: current.Host, Path: "/" + tenant + "/oauth2/" + path} } } -func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL { +func getMicrosoftGraphGroupsURL(profileURL *url.URL, graphGroupField string) *url.URL { selectStatement := "$select=displayName,id" if !slices.Contains([]string{"displayName", "id"}, graphGroupField) { @@ -133,7 +134,7 @@ func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL { // Select only security groups. Due to the filter option, count param is mandatory even if unused otherwise return &url.URL{ Scheme: "https", - Host: "graph.microsoft.com", + Host: profileURL.Host, Path: "/v1.0/me/transitiveMemberOf", RawQuery: "$count=true&$filter=securityEnabled+eq+true&" + selectStatement, } @@ -368,7 +369,7 @@ func (p *AzureProvider) getGroupsFromProfileAPI(ctx context.Context, s *sessions return nil, fmt.Errorf("missing access token") } - groupsURL := getMicrosoftGraphGroupsURL(p.GraphGroupField).String() + groupsURL := getMicrosoftGraphGroupsURL(p.ProfileURL, p.GraphGroupField).String() // Need and extra header while talking with MS Graph. For more context see // https://docs.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=http#request-headers