feature: switch Azure AD graph API to Microsoft Graph API (#440)

* feature: switch Azure AD graph API to Microsoft Graph API * Update CHANGELOG * Expand Breaking Changes notice * Update CHANGELOG.md Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * fix: use constant http method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-09-16 09:16:33 +02:00 · 2020-04-12 19:53:30 +09:00
parent b0b87563dc
commit 7f72a22227
3 changed files with 16 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,8 +12,14 @@
  - See the changes listed below for PR [#464](https://github.com/oauth2-proxy/oauth2-proxy/pull/464) for full details
  - Binaries renamed from `oauth2_proxy` to `oauth2-proxy`

+- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo)
+    - The Azure AD Graph API has been [deprecated](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api) and is being replaced by the Microsoft Graph API.
+      If your application relies on the access token being passed to it to access the Azure AD Graph API, you should migrate your application to use the Microsoft Graph API.
+      Existing behaviour can be retained by setting  `-resource=https://graph.windows.net`.
+
 ## Changes since v5.1.0

+- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo)
 - [#453](https://github.com/oauth2-proxy/oauth2-proxy/pull/453) Prevent browser caching during auth flow (@johejo)
 - [#481](https://github.com/oauth2-proxy/oauth2-proxy/pull/481) Update Okta docs (@trevorbox)
 - [#474](https://github.com/oauth2-proxy/oauth2-proxy/pull/474) Always log hasMember request error object (@jbielick)
@@ -61,7 +67,6 @@ N/A
 - [#405](https://github.com/oauth2-proxy/oauth2-proxy/pull/405) The `/sign_in` page now honors the `rd` query parameter, fixing the redirect after a successful authentication (@ti-mo)
 - [#434](https://github.com/oauth2-proxy/oauth2-proxy/pull/434) Give the option to prefer email address in the username header when using the -pass-user-headers option (@jordancrawfordnz)

-
 # v5.0.0

 ## Release Hightlights
--- a/providers/azure.go
+++ b/providers/azure.go
@@ -28,16 +28,15 @@ func NewAzureProvider(p *ProviderData) *AzureProvider {

 	if p.ProfileURL == nil || p.ProfileURL.String() == "" {
 		p.ProfileURL = &url.URL{
-			Scheme:   "https",
-			Host:     "graph.windows.net",
-			Path:     "/me",
-			RawQuery: "api-version=1.6",
+			Scheme: "https",
+			Host:   "graph.microsoft.com",
+			Path:   "/v1.0/me",
 		}
 	}
 	if p.ProtectedResource == nil || p.ProtectedResource.String() == "" {
 		p.ProtectedResource = &url.URL{
 			Scheme: "https",
-			Host:   "graph.windows.net",
+			Host:   "graph.microsoft.com",
 		}
 	}
 	if p.Scope == "" {
--- a/providers/azure_test.go
+++ b/providers/azure_test.go
@@ -41,9 +41,9 @@ func TestAzureProviderDefaults(t *testing.T) {
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://login.microsoftonline.com/common/oauth2/token",
 		p.Data().RedeemURL.String())
-	assert.Equal(t, "https://graph.windows.net/me?api-version=1.6",
+	assert.Equal(t, "https://graph.microsoft.com/v1.0/me",
 		p.Data().ProfileURL.String())
-	assert.Equal(t, "https://graph.windows.net",
+	assert.Equal(t, "https://graph.microsoft.com",
 		p.Data().ProtectedResource.String())
 	assert.Equal(t, "",
 		p.Data().ValidateURL.String())
@@ -97,9 +97,9 @@ func TestAzureSetTenant(t *testing.T) {
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://login.microsoftonline.com/example/oauth2/token",
 		p.Data().RedeemURL.String())
-	assert.Equal(t, "https://graph.windows.net/me?api-version=1.6",
+	assert.Equal(t, "https://graph.microsoft.com/v1.0/me",
 		p.Data().ProfileURL.String())
-	assert.Equal(t, "https://graph.windows.net",
+	assert.Equal(t, "https://graph.microsoft.com",
 		p.Data().ProtectedResource.String())
 	assert.Equal(t, "",
 		p.Data().ValidateURL.String())
@@ -107,12 +107,11 @@ func TestAzureSetTenant(t *testing.T) {
 }

 func testAzureBackend(payload string) *httptest.Server {
-	path := "/me"
-	query := "api-version=1.6"
+	path := "/v1.0/me"

 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
-			if (r.URL.Path != path || r.URL.RawQuery != query) && r.Method != http.MethodPost {
+			if (r.URL.Path != path) && r.Method != http.MethodPost {
 				w.WriteHeader(404)
 			} else if r.Method == http.MethodPost && r.Body != nil {
 				w.WriteHeader(200)