mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 12:27:59 +00:00
b63534c325
* fix(idp): provide id_token for tenant based azure ad
* comments
* remove unintentional changes
(cherry picked from commit 7c592ce638
)
250 lines
8.0 KiB
Go
250 lines
8.0 KiB
Go
package azuread
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"golang.org/x/oauth2"
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/idp"
|
|
"github.com/zitadel/zitadel/internal/idp/providers/oauth"
|
|
)
|
|
|
|
const (
|
|
issuerTemplate string = "https://login.microsoftonline.com/%s/v2.0"
|
|
authURLTemplate string = "https://login.microsoftonline.com/%s/oauth2/v2.0/authorize"
|
|
tokenURLTemplate string = "https://login.microsoftonline.com/%s/oauth2/v2.0/token"
|
|
keysURLTemplate string = "https://login.microsoftonline.com/%s/discovery/v2.0/keys"
|
|
userURL string = "https://graph.microsoft.com/v1.0/me"
|
|
userinfoEndpoint string = "https://graph.microsoft.com/oidc/userinfo"
|
|
|
|
ScopeUserRead string = "User.Read"
|
|
)
|
|
|
|
// TenantType are the well known tenant types to scope the users that can authenticate. TenantType is not an
|
|
// exclusive list of Azure Tenants which can be used. A consumer can also use their own Tenant ID to scope
|
|
// authentication to their specific Tenant either through the Tenant ID or the friendly domain name.
|
|
//
|
|
// see also https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints
|
|
type TenantType string
|
|
|
|
const (
|
|
// CommonTenant allows users with both personal Microsoft accounts and work/school accounts from Azure Active
|
|
// Directory to sign in to the application.
|
|
CommonTenant TenantType = "common"
|
|
|
|
// OrganizationsTenant allows only users with work/school accounts from Azure Active Directory to sign in to the application.
|
|
OrganizationsTenant TenantType = "organizations"
|
|
|
|
// ConsumersTenant allows only users with personal Microsoft accounts (MSA) to sign in to the application.
|
|
ConsumersTenant TenantType = "consumers"
|
|
)
|
|
|
|
var _ idp.Provider = (*Provider)(nil)
|
|
|
|
// Provider is the [idp.Provider] implementation for AzureAD (V2 Endpoints)
|
|
type Provider struct {
|
|
*oauth.Provider
|
|
tenant TenantType
|
|
emailVerified bool
|
|
options []oauth.ProviderOpts
|
|
}
|
|
|
|
// issuer returns the OIDC issuer based on the [TenantType]
|
|
func (p *Provider) issuer() string {
|
|
return fmt.Sprintf(issuerTemplate, p.tenant)
|
|
}
|
|
|
|
// keysEndpoint returns the OIDC jwks_url based on the [TenantType]
|
|
func (p *Provider) keysEndpoint() string {
|
|
return fmt.Sprintf(keysURLTemplate, p.tenant)
|
|
}
|
|
|
|
type ProviderOptions func(*Provider)
|
|
|
|
// WithTenant allows to set a [TenantType] (can also be a Tenant ID)
|
|
// default is CommonTenant
|
|
func WithTenant(tenantType TenantType) ProviderOptions {
|
|
return func(p *Provider) {
|
|
p.tenant = tenantType
|
|
}
|
|
}
|
|
|
|
// WithEmailVerified allows to set every email received as verified
|
|
func WithEmailVerified() ProviderOptions {
|
|
return func(p *Provider) {
|
|
p.emailVerified = true
|
|
}
|
|
}
|
|
|
|
// WithOAuthOptions allows to specify [oauth.ProviderOpts] like [oauth.WithLinkingAllowed]
|
|
func WithOAuthOptions(opts ...oauth.ProviderOpts) ProviderOptions {
|
|
return func(p *Provider) {
|
|
p.options = append(p.options, opts...)
|
|
}
|
|
}
|
|
|
|
// New creates an AzureAD provider using the [oauth.Provider] (OAuth 2.0 generic provider).
|
|
// By default, it uses the [CommonTenant] and unverified emails.
|
|
func New(name, clientID, clientSecret, redirectURI string, scopes []string, opts ...ProviderOptions) (*Provider, error) {
|
|
provider := &Provider{
|
|
tenant: CommonTenant,
|
|
options: make([]oauth.ProviderOpts, 0),
|
|
}
|
|
for _, opt := range opts {
|
|
opt(provider)
|
|
}
|
|
config := newConfig(provider.tenant, clientID, clientSecret, redirectURI, scopes)
|
|
rp, err := oauth.New(
|
|
config,
|
|
name,
|
|
userURL,
|
|
func() idp.User {
|
|
return &User{isEmailVerified: provider.emailVerified}
|
|
},
|
|
provider.options...,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
provider.Provider = rp
|
|
return provider, nil
|
|
}
|
|
|
|
func newConfig(tenant TenantType, clientID, secret, callbackURL string, scopes []string) *oauth2.Config {
|
|
return &oauth2.Config{
|
|
ClientID: clientID,
|
|
ClientSecret: secret,
|
|
RedirectURL: callbackURL,
|
|
Endpoint: oauth2.Endpoint{
|
|
AuthURL: fmt.Sprintf(authURLTemplate, tenant),
|
|
TokenURL: fmt.Sprintf(tokenURLTemplate, tenant),
|
|
},
|
|
Scopes: ensureMinimalScope(scopes),
|
|
}
|
|
}
|
|
|
|
// ensureMinimalScope ensures that at least openid and `User.Read` ist set
|
|
// if none is provided it will request `openid profile email phone User.Read`
|
|
func ensureMinimalScope(scopes []string) []string {
|
|
if len(scopes) == 0 {
|
|
return []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone, ScopeUserRead}
|
|
}
|
|
var openIDSet, userReadSet bool
|
|
for _, scope := range scopes {
|
|
if scope == oidc.ScopeOpenID {
|
|
openIDSet = true
|
|
continue
|
|
}
|
|
if scope == ScopeUserRead {
|
|
userReadSet = true
|
|
continue
|
|
}
|
|
}
|
|
if !openIDSet {
|
|
scopes = append(scopes, oidc.ScopeOpenID)
|
|
}
|
|
if !userReadSet {
|
|
scopes = append(scopes, ScopeUserRead)
|
|
}
|
|
return scopes
|
|
}
|
|
|
|
// User represents the structure return on the userinfo endpoint and implements the [idp.User] interface
|
|
//
|
|
// AzureAD does not return an `email_verified` claim.
|
|
// The verification can be automatically activated on the provider ([WithEmailVerified])
|
|
type User struct {
|
|
ID string `json:"id"`
|
|
BusinessPhones []domain.PhoneNumber `json:"businessPhones"`
|
|
DisplayName string `json:"displayName"`
|
|
FirstName string `json:"givenName"`
|
|
JobTitle string `json:"jobTitle"`
|
|
Email domain.EmailAddress `json:"mail"`
|
|
MobilePhone domain.PhoneNumber `json:"mobilePhone"`
|
|
OfficeLocation string `json:"officeLocation"`
|
|
PreferredLanguage string `json:"preferredLanguage"`
|
|
LastName string `json:"surname"`
|
|
UserPrincipalName string `json:"userPrincipalName"`
|
|
isEmailVerified bool
|
|
}
|
|
|
|
// GetID is an implementation of the [idp.User] interface.
|
|
func (u *User) GetID() string {
|
|
return u.ID
|
|
}
|
|
|
|
// GetFirstName is an implementation of the [idp.User] interface.
|
|
func (u *User) GetFirstName() string {
|
|
return u.FirstName
|
|
}
|
|
|
|
// GetLastName is an implementation of the [idp.User] interface.
|
|
func (u *User) GetLastName() string {
|
|
return u.LastName
|
|
}
|
|
|
|
// GetDisplayName is an implementation of the [idp.User] interface.
|
|
func (u *User) GetDisplayName() string {
|
|
return u.DisplayName
|
|
}
|
|
|
|
// GetNickname is an implementation of the [idp.User] interface.
|
|
// It returns an empty string because AzureAD does not provide the user's nickname.
|
|
func (u *User) GetNickname() string {
|
|
return ""
|
|
}
|
|
|
|
// GetPreferredUsername is an implementation of the [idp.User] interface.
|
|
func (u *User) GetPreferredUsername() string {
|
|
return u.UserPrincipalName
|
|
}
|
|
|
|
// GetEmail is an implementation of the [idp.User] interface.
|
|
func (u *User) GetEmail() domain.EmailAddress {
|
|
if u.Email == "" {
|
|
// if the user used a social login on Azure as well, the email will be empty
|
|
// but is used as username
|
|
return domain.EmailAddress(u.UserPrincipalName)
|
|
}
|
|
return u.Email
|
|
}
|
|
|
|
// IsEmailVerified is an implementation of the [idp.User] interface
|
|
// returning the value specified in the creation of the [Provider].
|
|
// Default is false because AzureAD does not return an `email_verified` claim.
|
|
// The verification can be automatically activated on the provider ([WithEmailVerified]).
|
|
func (u *User) IsEmailVerified() bool {
|
|
return u.isEmailVerified
|
|
}
|
|
|
|
// GetPhone is an implementation of the [idp.User] interface.
|
|
// It returns an empty string because AzureAD does not provide the user's phone.
|
|
func (u *User) GetPhone() domain.PhoneNumber {
|
|
return ""
|
|
}
|
|
|
|
// IsPhoneVerified is an implementation of the [idp.User] interface.
|
|
// It returns false because AzureAD does not provide the user's phone.
|
|
func (u *User) IsPhoneVerified() bool {
|
|
return false
|
|
}
|
|
|
|
// GetPreferredLanguage is an implementation of the [idp.User] interface.
|
|
func (u *User) GetPreferredLanguage() language.Tag {
|
|
return language.Make(u.PreferredLanguage)
|
|
}
|
|
|
|
// GetProfile is an implementation of the [idp.User] interface.
|
|
// It returns an empty string because AzureAD does not provide the user's profile page.
|
|
func (u *User) GetProfile() string {
|
|
return ""
|
|
}
|
|
|
|
// GetAvatarURL is an implementation of the [idp.User] interface.
|
|
func (u *User) GetAvatarURL() string {
|
|
return ""
|
|
}
|