public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add azure china support (#2269) 

* add azure china support

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

* update changelog

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

* fix lint

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

---------

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Markus Blaschke 2023-11-01 11:12:34 +01:00 committed by GitHub
parent 66a81e6eeb
commit 66bfd8ebd5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -8,13 +8,15 @@
## Changes since v7.5.1 ## Changes since v7.5.1
- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
- [#2269](https://github.com/oauth2-proxy/oauth2-proxy/pull/2269) Added Azure China (and other air gaped cloud) support (@mblaschke)
- [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen) - [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen)
- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll) - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
- [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci) - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci)
- [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen) - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen)
- [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option - [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option
- [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs) - [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs)
-
# V7.5.1 # V7.5.1
## Release Highlights ## Release Highlights

15
providers/azure.go
View File

@ -12,6 +12,7 @@ import (
"golang.org/x/exp/slices" "golang.org/x/exp/slices"
"github.com/bitly/go-simplejson" "github.com/bitly/go-simplejson"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
@ -33,7 +34,6 @@ const (
azureProviderName = "Azure" azureProviderName = "Azure"
azureDefaultScope = "openid" azureDefaultScope = "openid"
azureDefaultGraphGroupField = "id" azureDefaultGraphGroupField = "id"
azureV2Scope = "https://graph.microsoft.com/.default"
) )
var ( var (
@ -90,15 +90,16 @@ func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider
isV2Endpoint := false isV2Endpoint := false
if strings.Contains(p.LoginURL.String(), "v2.0") { if strings.Contains(p.LoginURL.String(), "v2.0") {
isV2Endpoint = true isV2Endpoint = true
azureV2GraphScope := fmt.Sprintf("https://%s/.default", p.ProfileURL.Host)
if strings.Contains(p.Scope, " groups") { if strings.Contains(p.Scope, " groups") {
logger.Print("WARNING: `groups` scope is not an accepted scope when using Azure OAuth V2 endpoint. Removing it from the scope list") logger.Print("WARNING: `groups` scope is not an accepted scope when using Azure OAuth V2 endpoint. Removing it from the scope list")
p.Scope = strings.ReplaceAll(p.Scope, " groups", "") p.Scope = strings.ReplaceAll(p.Scope, " groups", "")
} }
if !strings.Contains(p.Scope, " "+azureV2Scope) { if !strings.Contains(p.Scope, " "+azureV2GraphScope) {
// In order to be able to query MS Graph we must pass the ms graph default endpoint // In order to be able to query MS Graph we must pass the ms graph default endpoint
p.Scope += " " + azureV2Scope p.Scope += " " + azureV2GraphScope
} }
if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
@ -118,12 +119,12 @@ func overrideTenantURL(current, defaultURL *url.URL, tenant, path string) {
if current == nil || current.String() == "" || current.String() == defaultURL.String() { if current == nil || current.String() == "" || current.String() == defaultURL.String() {
*current = url.URL{ *current = url.URL{
Scheme: "https", Scheme: "https",
Host: "login.microsoftonline.com", Host: current.Host,
Path: "/" + tenant + "/oauth2/" + path} Path: "/" + tenant + "/oauth2/" + path}
} }
} }
func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL { func getMicrosoftGraphGroupsURL(profileURL *url.URL, graphGroupField string) *url.URL {
selectStatement := "$select=displayName,id" selectStatement := "$select=displayName,id"
if !slices.Contains([]string{"displayName", "id"}, graphGroupField) { if !slices.Contains([]string{"displayName", "id"}, graphGroupField) {
@ -133,7 +134,7 @@ func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL {
// Select only security groups. Due to the filter option, count param is mandatory even if unused otherwise // Select only security groups. Due to the filter option, count param is mandatory even if unused otherwise
return &url.URL{ return &url.URL{
Scheme: "https", Scheme: "https",
Host: "graph.microsoft.com", Host: profileURL.Host,
Path: "/v1.0/me/transitiveMemberOf", Path: "/v1.0/me/transitiveMemberOf",
RawQuery: "$count=true&$filter=securityEnabled+eq+true&" + selectStatement, RawQuery: "$count=true&$filter=securityEnabled+eq+true&" + selectStatement,
} }
@ -368,7 +369,7 @@ func (p *AzureProvider) getGroupsFromProfileAPI(ctx context.Context, s *sessions
return nil, fmt.Errorf("missing access token") return nil, fmt.Errorf("missing access token")
} }
groupsURL := getMicrosoftGraphGroupsURL(p.GraphGroupField).String() groupsURL := getMicrosoftGraphGroupsURL(p.ProfileURL, p.GraphGroupField).String()
// Need and extra header while talking with MS Graph. For more context see // Need and extra header while talking with MS Graph. For more context see
// https://docs.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=http#request-headers // https://docs.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=http#request-headers