|
|
|
@ -29,6 +29,7 @@ type azureClaims struct { |
|
|
|
ID string `json:"oid"` |
|
|
|
ID string `json:"oid"` |
|
|
|
ClaimNames claimNames `json:"_claim_names,omitempty"` |
|
|
|
ClaimNames claimNames `json:"_claim_names,omitempty"` |
|
|
|
ClaimSources map[string]claimSource `json:"_claim_sources,omitempty"` |
|
|
|
ClaimSources map[string]claimSource `json:"_claim_sources,omitempty"` |
|
|
|
|
|
|
|
TenantID string `json:"tid,omitempty"` |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
type claimNames struct { |
|
|
|
type claimNames struct { |
|
|
|
@ -177,20 +178,27 @@ func extractGroups(client *http.Client, claims azureClaims, token *oauth2.Token) |
|
|
|
// If user groups exceeds 200 no groups will be found in claims.
|
|
|
|
// If user groups exceeds 200 no groups will be found in claims.
|
|
|
|
// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim
|
|
|
|
// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim
|
|
|
|
endpoint := claims.ClaimSources[claims.ClaimNames.Groups].Endpoint |
|
|
|
endpoint := claims.ClaimSources[claims.ClaimNames.Groups].Endpoint |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// If the endpoints provided in _claim_source is pointing to the deprecated "graph.windows.net" api
|
|
|
|
|
|
|
|
// replace with handcrafted url to graph.microsoft.com
|
|
|
|
|
|
|
|
// See https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview
|
|
|
|
if strings.Contains(endpoint, "graph.windows.net") { |
|
|
|
if strings.Contains(endpoint, "graph.windows.net") { |
|
|
|
// If the endpoints provided in _claim_source is pointed to the deprecated "graph.windows.net" api
|
|
|
|
tenantID := claims.TenantID |
|
|
|
// replace with handcrafted url to graph.microsoft.com
|
|
|
|
// If tenantID wasn't found in the id_token, parse access token
|
|
|
|
// See https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview
|
|
|
|
if tenantID == "" { |
|
|
|
parsedToken, err := jwt.ParseSigned(token.AccessToken) |
|
|
|
parsedToken, err := jwt.ParseSigned(token.AccessToken) |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return nil, fmt.Errorf("error parsing id token: %w", err) |
|
|
|
return nil, fmt.Errorf("error parsing access token: %w", err) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
var accessClaims azureAccessClaims |
|
|
|
var accessClaims azureAccessClaims |
|
|
|
if err := parsedToken.UnsafeClaimsWithoutVerification(&accessClaims); err != nil { |
|
|
|
if err := parsedToken.UnsafeClaimsWithoutVerification(&accessClaims); err != nil { |
|
|
|
return nil, fmt.Errorf("error getting claims from access token: %w", err) |
|
|
|
return nil, fmt.Errorf("error getting claims from access token: %w", err) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
tenantID = accessClaims.TenantID |
|
|
|
} |
|
|
|
} |
|
|
|
endpoint = fmt.Sprintf("https://graph.microsoft.com/v1.0/%s/users/%s/getMemberObjects", accessClaims.TenantID, claims.ID) |
|
|
|
|
|
|
|
|
|
|
|
endpoint = fmt.Sprintf("https://graph.microsoft.com/v1.0/%s/users/%s/getMemberObjects", tenantID, claims.ID) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
data, err := json.Marshal(&getAzureGroupRequest{SecurityEnabledOnly: false}) |
|
|
|
data, err := json.Marshal(&getAzureGroupRequest{SecurityEnabledOnly: false}) |
|
|
|
|
Gabriel MABILLE
3 years ago
committed by