From fe7b5547779e2132ebdb31325cedca61466d5a40 Mon Sep 17 00:00:00 2001 From: Rastislav Date: Mon, 9 Mar 2026 10:37:37 +0100 Subject: [PATCH] Always query Graph API for group membership Previously, Graph API was queried only when the `groups` scope was present. However, EntraID in Shell environment does not provide the `groups` scope. Query Graph API unconditionally to retrieve group membership. The returned groups are intersected with the configured allowed groups to minimize the cookie size. --- providers/ms_entra_id.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/providers/ms_entra_id.go b/providers/ms_entra_id.go index f9445d69..e2e6046d 100644 --- a/providers/ms_entra_id.go +++ b/providers/ms_entra_id.go @@ -73,6 +73,11 @@ func (p *MicrosoftEntraIDProvider) EnrichSession(ctx context.Context, session *s if err = p.addGraphGroupsToSession(ctx, session); err != nil { return fmt.Errorf("unable to enrich session: %v", err) } + } else { + logger.Printf("reading groups from Graph API") + if err = p.addGraphGroupsToSession(ctx, session); err != nil { + return fmt.Errorf("unable to enrich session: %v", err) + } } return nil @@ -251,7 +256,10 @@ func (p *MicrosoftEntraIDProvider) addGraphGroupsToSession(ctx context.Context, for i := range reqGroups { value := response.Get("value").GetIndex(i).Get("id").MustString() - allGroups = append(allGroups, value) + // allGroups = append(allGroups, value) + if _, ok := p.AllowedGroups[value]; ok { + allGroups = append(allGroups, value) + } } // https://learn.microsoft.com/en-us/graph/paging?view=graph-rest-1.0&tabs=http#how-paging-works