fix: ensure minimal scope for azure ad (#5686)

* fix: ensure minimal scope for azure ad * docs(idps): mention scopes which are always sent --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
2025-08-11 18:33:28 +00:00 · 2023-04-17 09:02:16 +02:00
parent 8e19f0f6c3
commit 4c482619da
6 changed files with 37 additions and 14 deletions
--- a/internal/idp/providers/azuread/azuread.go
+++ b/internal/idp/providers/azuread/azuread.go
@@ -16,6 +16,8 @@ const (
 	authURLTemplate  string = "https://login.microsoftonline.com/%s/oauth2/v2.0/authorize"
 	tokenURLTemplate string = "https://login.microsoftonline.com/%s/oauth2/v2.0/token"
 	userinfoURL      string = "https://graph.microsoft.com/v1.0/me"
+
+	ScopeUserRead string = "User.Read"
 )

 // TenantType are the well known tenant types to scope the users that can authenticate. TenantType is not an
@@ -99,7 +101,7 @@ func New(name, clientID, clientSecret, redirectURI string, scopes []string, opts
 }

 func newConfig(tenant TenantType, clientID, secret, callbackURL string, scopes []string) *oauth2.Config {
-	c := &oauth2.Config{
+	return &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: secret,
 		RedirectURL:  callbackURL,
@@ -107,13 +109,34 @@ func newConfig(tenant TenantType, clientID, secret, callbackURL string, scopes [
 			AuthURL:  fmt.Sprintf(authURLTemplate, tenant),
 			TokenURL: fmt.Sprintf(tokenURLTemplate, tenant),
 		},
-		Scopes: []string{oidc.ScopeOpenID},
-	}
-	if len(scopes) > 0 {
-		c.Scopes = scopes
+		Scopes: ensureMinimalScope(scopes),
 	}
+}

-	return c
+// ensureMinimalScope ensures that at least openid and `User.Read` ist set
+// if none is provided it will request `openid profile email phone User.Read`
+func ensureMinimalScope(scopes []string) []string {
+	if len(scopes) == 0 {
+		return []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone, ScopeUserRead}
+	}
+	var openIDSet, userReadSet bool
+	for _, scope := range scopes {
+		if scope == oidc.ScopeOpenID {
+			openIDSet = true
+			continue
+		}
+		if scope == ScopeUserRead {
+			userReadSet = true
+			continue
+		}
+	}
+	if !openIDSet {
+		scopes = append(scopes, oidc.ScopeOpenID)
+	}
+	if !userReadSet {
+		scopes = append(scopes, ScopeUserRead)
+	}
+	return scopes
 }

 // User represents the structure return on the userinfo endpoint and implements the [idp.User] interface
--- a/internal/idp/providers/azuread/azuread_test.go
+++ b/internal/idp/providers/azuread/azuread_test.go
@@ -36,7 +36,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 				redirectURI:  "redirectURI",
 			},
 			want: &oidc.Session{
-				AuthURL: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+				AuthURL: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",
 			},
 		},
 		{
@@ -50,7 +50,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 				},
 			},
 			want: &oidc.Session{
-				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
+				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",
 			},
 		},
 		{
@@ -59,13 +59,13 @@ func TestProvider_BeginAuth(t *testing.T) {
 				clientID:     "clientID",
 				clientSecret: "clientSecret",
 				redirectURI:  "redirectURI",
-				scopes:       []string{openid.ScopeOpenID, openid.ScopeProfile, "user"},
+				scopes:       []string{openid.ScopeOpenID, openid.ScopeProfile, "custom"},
 				options: []ProviderOptions{
 					WithTenant(ConsumersTenant),
 				},
 			},
 			want: &oidc.Session{
-				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+user&state=testState",
+				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+custom+User.Read&state=testState",
 			},
 		},
 	}