Plugin: Azure: Allows the user to be verified based on the internal Azure ID - refs BT#21930

main/auth/external_login/login.azure.php

@@ -12,6 +12,16 @@ if ($uData['auth_source'] === 'azure') {
         api_not_allowed(true);
     }
 
+    $uidField = new ExtraFieldValue('user');
+    $uidValue = $uidField->get_values_by_handler_and_field_variable(
+        $uData['user_id'],
+        AzureActiveDirectory::EXTRA_FIELD_AZURE_UID
+    );
+
+    if (empty($uidValue) || empty($uidValue['value'])) {
+        api_not_allowed(true);
+    }
+
     $azureIdField = new ExtraFieldValue('user');
     $azureIdValue = $azureIdField->get_values_by_handler_and_field_variable(
         $uData['user_id'],

plugin/azure_active_directory/lang/dutch.php

@@ -24,6 +24,7 @@ $strings['management_login_name'] = 'Naam voor de beheeraanmelding';
 $strings['management_login_name_help'] = 'De standaardinstelling is "Beheer login".';
 $strings['OrganisationEmail'] = 'Organisatie e-mail';
 $strings['AzureId'] = 'Azure ID (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Beheer Login';
 $strings['InvalidId'] = 'Deze identificatie is niet geldig (verkeerde log-in of wachtwoord). Errocode: AZMNF';
 $strings['provisioning'] = 'Geautomatiseerde inrichting';

plugin/azure_active_directory/lang/english.php

@@ -24,6 +24,7 @@ $strings['management_login_name'] = 'Name for the management login';
 $strings['management_login_name_help'] = 'The default is "Management Login".';
 $strings['OrganisationEmail'] = 'Organisation e-mail';
 $strings['AzureId'] = 'Azure ID (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Management Login';
 $strings['InvalidId'] = 'Login failed - incorrect login or password. Errocode: AZMNF';
 $strings['provisioning'] = 'Automated provisioning';

plugin/azure_active_directory/lang/french.php

@@ -24,6 +24,7 @@ $strings['management_login_name'] = 'Nom du login de gestion';
 $strings['management_login_name_help'] = 'Le nom par défaut est "Login de gestion".';
 $strings['OrganisationEmail'] = 'E-mail professionnel';
 $strings['AzureId'] = 'ID Azure (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Login de gestion';
 $strings['InvalidId'] = 'Échec du login - nom d\'utilisateur ou mot de passe incorrect. Errocode: AZMNF';
 $strings['provisioning'] = 'Création automatisée';

plugin/azure_active_directory/lang/spanish.php

@@ -24,6 +24,7 @@ $strings['management_login_name'] = 'Nombre del bloque de login de gestión';
 $strings['management_login_name_help'] = 'El nombre por defecto es "Login de gestión".';
 $strings['OrganisationEmail'] = 'E-mail profesional';
 $strings['AzureId'] = 'ID Azure (mailNickname)';
+$strings['AzureUid'] = 'UID Azure (ID interno)';
 $strings['ManagementLogin'] = 'Login de gestión';
 $strings['InvalidId'] = 'Problema en el login - nombre de usuario o contraseña incorrecto. Errocode: AZMNF';
 $strings['provisioning'] = 'Creación automatizada';

plugin/azure_active_directory/src/AzureActiveDirectory.php

@@ -29,6 +29,7 @@ class AzureActiveDirectory extends Plugin
 
     public const EXTRA_FIELD_ORGANISATION_EMAIL = 'organisationemail';
     public const EXTRA_FIELD_AZURE_ID = 'azure_id';
+    public const EXTRA_FIELD_AZURE_UID = 'azure_uid';
 
     /**
      * AzureActiveDirectory constructor.
@@ -123,5 +124,11 @@ class AzureActiveDirectory extends Plugin
             $this->get_lang('AzureId'),
             ''
         );
+        UserManager::create_extra_field(
+            self::EXTRA_FIELD_AZURE_UID,
+            ExtraField::FIELD_TYPE_TEXT,
+            $this->get_lang('AzureUid'),
+            ''
+        );
     }
 }

plugin/azure_active_directory/src/callback.php

@@ -79,7 +79,10 @@ try {
         throw new Exception('The mail field is empty in Azure AD and is needed to set the organisation email for this user.');
     }
     if (empty($me['mailNickname'])) {
-        throw new Exception('The mailNickname field is empty in Azure AD and is needed to set the unique Azure ID for this user.');
+        throw new Exception('The mailNickname field is empty in Azure AD and is needed to set the unique username for this user.');
+    }
+    if (empty($me['objectId'])) {
+        throw new Exception('The id field is empty in Azure AD and is needed to set the unique Azure ID for this user.');
     }
 
     $extraFieldValue = new ExtraFieldValue('user');
@@ -91,6 +94,10 @@ try {
         AzureActiveDirectory::EXTRA_FIELD_AZURE_ID,
         $me['mailNickname']
     );
+    $uidValue = $extraFieldValue->get_item_id_from_field_variable_and_field_value(
+        AzureActiveDirectory::EXTRA_FIELD_AZURE_UID,
+        $me['objectId']
+    );
 
     $userId = null;
     // Get the user ID (if any) from the EXTRA_FIELD_ORGANISATION_EMAIL extra
@@ -107,6 +114,14 @@ try {
         }
     }
 
+    if (empty($userId)) {
+        // If the previous step didn't work, get the user ID from
+        // EXTRA_FIELD_AZURE_UID
+        if (!empty($uidValue) && isset($uidValue['item_id'])) {
+            $userId = $uidValue['item_id'];
+        }
+    }
+
     if (empty($userId)) {
         // If we didn't find the user
         if ($plugin->get(AzureActiveDirectory::SETTING_PROVISION_USERS) === 'true') {
@@ -155,6 +170,7 @@ try {
                 [
                     'extra_'.AzureActiveDirectory::EXTRA_FIELD_ORGANISATION_EMAIL => $me['mail'],
                     'extra_'.AzureActiveDirectory::EXTRA_FIELD_AZURE_ID => $me['mailNickname'],
+                    'extra_'.AzureActiveDirectory::EXTRA_FIELD_AZURE_UID => $me['id'],
                 ],
                 null,
                 null,
@@ -164,7 +180,7 @@ try {
                 throw new Exception(get_lang('UserNotAdded').' '.$me['mailNickname']);
             }
         } else {
-            throw new Exception('User not found when checking the extra fields from '.$me['mail'].' or '.$me['mailNickname'].'.');
+            throw new Exception('User not found when checking the extra fields from '.$me['mail'].' or '.$me['mailNickname'].' or '.$me['id'].'.');
         }
     }