IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Validate Azure ID token version on login is not v1 (#58088)

Browse Source
This commit is contained in:
Jo 2022-11-03 08:47:44 +00:00 committed by GitHub
parent 77f47ccba3
commit eb84358aa7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/login/social/azuread_oauth.go
View File

@ -31,6 +31,7 @@ type azureClaims struct {
ClaimNames claimNames `json:"_claim_names,omitempty"` ClaimNames claimNames `json:"_claim_names,omitempty"`
ClaimSources map[string]claimSource `json:"_claim_sources,omitempty"` ClaimSources map[string]claimSource `json:"_claim_sources,omitempty"`
TenantID string `json:"tid,omitempty"` TenantID string `json:"tid,omitempty"`
OAuthVersion string `json:"ver,omitempty"`
} }
type claimNames struct { type claimNames struct {
@ -65,6 +66,10 @@ func (s *SocialAzureAD) UserInfo(client *http.Client, token *oauth2.Token) (*Bas
return nil, fmt.Errorf("error getting claims from id token: %w", err) return nil, fmt.Errorf("error getting claims from id token: %w", err)
} }
if claims.OAuthVersion == "1.0" {
return nil, &Error{"AzureAD OAuth: version 1.0 is not supported. Please ensure the auth_url and token_url are set to the v2.0 endpoints."}
}
email := claims.extractEmail() email := claims.extractEmail()
if email == "" { if email == "" {
return nil, ErrEmailNotFound return nil, ErrEmailNotFound