diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ff23ee3..bd2b9348 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,14 @@ - See the changes listed below for PR [#464](https://github.com/oauth2-proxy/oauth2-proxy/pull/464) for full details - Binaries renamed from `oauth2_proxy` to `oauth2-proxy` +- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo) + - The Azure AD Graph API has been [deprecated](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api) and is being replaced by the Microsoft Graph API. + If your application relies on the access token being passed to it to access the Azure AD Graph API, you should migrate your application to use the Microsoft Graph API. + Existing behaviour can be retained by setting `-resource=https://graph.windows.net`. + ## Changes since v5.1.0 +- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo) - [#453](https://github.com/oauth2-proxy/oauth2-proxy/pull/453) Prevent browser caching during auth flow (@johejo) - [#481](https://github.com/oauth2-proxy/oauth2-proxy/pull/481) Update Okta docs (@trevorbox) - [#474](https://github.com/oauth2-proxy/oauth2-proxy/pull/474) Always log hasMember request error object (@jbielick) @@ -61,7 +67,6 @@ N/A - [#405](https://github.com/oauth2-proxy/oauth2-proxy/pull/405) The `/sign_in` page now honors the `rd` query parameter, fixing the redirect after a successful authentication (@ti-mo) - [#434](https://github.com/oauth2-proxy/oauth2-proxy/pull/434) Give the option to prefer email address in the username header when using the -pass-user-headers option (@jordancrawfordnz) - # v5.0.0 ## Release Hightlights diff --git a/providers/azure.go b/providers/azure.go index 1f4f9f8d..393416e3 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -28,16 +28,15 @@ func NewAzureProvider(p *ProviderData) *AzureProvider { if p.ProfileURL == nil || p.ProfileURL.String() == "" { p.ProfileURL = &url.URL{ - Scheme: "https", - Host: "graph.windows.net", - Path: "/me", - RawQuery: "api-version=1.6", + Scheme: "https", + Host: "graph.microsoft.com", + Path: "/v1.0/me", } } if p.ProtectedResource == nil || p.ProtectedResource.String() == "" { p.ProtectedResource = &url.URL{ Scheme: "https", - Host: "graph.windows.net", + Host: "graph.microsoft.com", } } if p.Scope == "" { diff --git a/providers/azure_test.go b/providers/azure_test.go index 33a04f57..6a38ce10 100644 --- a/providers/azure_test.go +++ b/providers/azure_test.go @@ -41,9 +41,9 @@ func TestAzureProviderDefaults(t *testing.T) { p.Data().LoginURL.String()) assert.Equal(t, "https://login.microsoftonline.com/common/oauth2/token", p.Data().RedeemURL.String()) - assert.Equal(t, "https://graph.windows.net/me?api-version=1.6", + assert.Equal(t, "https://graph.microsoft.com/v1.0/me", p.Data().ProfileURL.String()) - assert.Equal(t, "https://graph.windows.net", + assert.Equal(t, "https://graph.microsoft.com", p.Data().ProtectedResource.String()) assert.Equal(t, "", p.Data().ValidateURL.String()) @@ -97,9 +97,9 @@ func TestAzureSetTenant(t *testing.T) { p.Data().LoginURL.String()) assert.Equal(t, "https://login.microsoftonline.com/example/oauth2/token", p.Data().RedeemURL.String()) - assert.Equal(t, "https://graph.windows.net/me?api-version=1.6", + assert.Equal(t, "https://graph.microsoft.com/v1.0/me", p.Data().ProfileURL.String()) - assert.Equal(t, "https://graph.windows.net", + assert.Equal(t, "https://graph.microsoft.com", p.Data().ProtectedResource.String()) assert.Equal(t, "", p.Data().ValidateURL.String()) @@ -107,12 +107,11 @@ func TestAzureSetTenant(t *testing.T) { } func testAzureBackend(payload string) *httptest.Server { - path := "/me" - query := "api-version=1.6" + path := "/v1.0/me" return httptest.NewServer(http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) { - if (r.URL.Path != path || r.URL.RawQuery != query) && r.Method != http.MethodPost { + if (r.URL.Path != path) && r.Method != http.MethodPost { w.WriteHeader(404) } else if r.Method == http.MethodPost && r.Body != nil { w.WriteHeader(200)