public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Always query Graph API for group membership 

Previously, Graph API was queried only when the `groups` scope was present.
However, EntraID in Shell environment does not provide the `groups` scope.

Query Graph API unconditionally to retrieve group membership. The returned
groups are intersected with the configured allowed groups to minimize the
cookie size.
This commit is contained in:
Rastislav 2026-03-09 10:37:37 +01:00 committed by Ferhat Yildiz
parent 88075737a6
commit fe7b554777
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
providers/ms_entra_id.go
View File

@ -73,6 +73,11 @@ func (p *MicrosoftEntraIDProvider) EnrichSession(ctx context.Context, session *s
if err = p.addGraphGroupsToSession(ctx, session); err != nil {
return fmt.Errorf("unable to enrich session: %v", err)
}
} else {
logger.Printf("reading groups from Graph API")
if err = p.addGraphGroupsToSession(ctx, session); err != nil {
return fmt.Errorf("unable to enrich session: %v", err)
}
}
return nil
@ -251,7 +256,10 @@ func (p *MicrosoftEntraIDProvider) addGraphGroupsToSession(ctx context.Context,
for i := range reqGroups {
value := response.Get("value").GetIndex(i).Get("id").MustString()
allGroups = append(allGroups, value)
// allGroups = append(allGroups, value)
if _, ok := p.AllowedGroups[value]; ok {
allGroups = append(allGroups, value)
}
}
// https://learn.microsoft.com/en-us/graph/paging?view=graph-rest-1.0&tabs=http#how-paging-works