AzureAd Oauth: Fix strictMode to reject users without an assigned role (#48474)

* AzureAd Oauth: Fix strictMode to reject users without an assigned role Signed-off-by: kyschouv <kyschouv@microsoft.com> * AzureAd OAuth: Add test for strictMode auth when no role claims are returned Signed-off-by: kyschouv <kyschouv@microsoft.com>
2024-11-23 01:16:31 -06:00 · 2022-04-28 23:13:19 -07:00 · 2022-04-28 23:13:19 -07:00 · 7b224adf9f
commit 7b224adf9f
parent ce8becdfe2
2 changed files with 20 additions and 0 deletions
--- a/pkg/login/social/azuread_oauth.go
+++ b/pkg/login/social/azuread_oauth.go
@ -124,6 +124,10 @@ func extractEmail(claims azureClaims) string {

 func extractRole(claims azureClaims, autoAssignRole string, strictMode bool) models.RoleType {
 	if len(claims.Roles) == 0 {
+		if strictMode {
+			return models.RoleType("")
+		}
+
 		return models.RoleType(autoAssignRole)
 	}

--- a/pkg/login/social/azuread_oauth_test.go
+++ b/pkg/login/social/azuread_oauth_test.go
@ -296,6 +296,22 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 			want:    nil,
 			wantErr: true,
 		},
+		{
+			name: "Fetch empty role when strict attribute role is true and no role claims returned",
+			fields: fields{
+				roleAttributeStrict: true,
+			},
+			claims: &azureClaims{
+				Email:             "me@example.com",
+				PreferredUsername: "",
+				Roles:             []string{},
+				Groups:            []string{},
+				Name:              "My Name",
+				ID:                "1234",
+			},
+			want:    nil,
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {