IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Azure OAuth: Use TID from id_token by default (#56264)

Browse Source 
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
This commit is contained in:
Gabriel MABILLE 2022-10-04 13:48:15 +02:00 committed by GitHub
parent 91b4ce08a9
commit 80dfa788c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/login/social/azuread_oauth.go
View File

@ -29,6 +29,7 @@ type azureClaims struct {
ID string `json:"oid"`
ClaimNames claimNames `json:"_claim_names,omitempty"`
ClaimSources map[string]claimSource `json:"_claim_sources,omitempty"`
TenantID string `json:"tid,omitempty"`
}
type claimNames struct {
@ -177,20 +178,27 @@ func extractGroups(client *http.Client, claims azureClaims, token *oauth2.Token)
// If user groups exceeds 200 no groups will be found in claims.
// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim
endpoint := claims.ClaimSources[claims.ClaimNames.Groups].Endpoint
// If the endpoints provided in _claim_source is pointing to the deprecated "graph.windows.net" api
// replace with handcrafted url to graph.microsoft.com
// See https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview
if strings.Contains(endpoint, "graph.windows.net") {
// If the endpoints provided in _claim_source is pointed to the deprecated "graph.windows.net" api
// replace with handcrafted url to graph.microsoft.com
// See https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview
parsedToken, err := jwt.ParseSigned(token.AccessToken)
if err != nil {
return nil, fmt.Errorf("error parsing id token: %w", err)
tenantID := claims.TenantID
// If tenantID wasn't found in the id_token, parse access token
if tenantID == "" {
parsedToken, err := jwt.ParseSigned(token.AccessToken)
if err != nil {
return nil, fmt.Errorf("error parsing access token: %w", err)
}
var accessClaims azureAccessClaims
if err := parsedToken.UnsafeClaimsWithoutVerification(&accessClaims); err != nil {
return nil, fmt.Errorf("error getting claims from access token: %w", err)
}
tenantID = accessClaims.TenantID
}
var accessClaims azureAccessClaims
if err := parsedToken.UnsafeClaimsWithoutVerification(&accessClaims); err != nil {
return nil, fmt.Errorf("error getting claims from access token: %w", err)
}
endpoint = fmt.Sprintf("https://graph.microsoft.com/v1.0/%s/users/%s/getMemberObjects", accessClaims.TenantID, claims.ID)
endpoint = fmt.Sprintf("https://graph.microsoft.com/v1.0/%s/users/%s/getMemberObjects", tenantID, claims.ID)
}
data, err := json.Marshal(&getAzureGroupRequest{SecurityEnabledOnly: false})