add azure china support (oauth2-proxy#2269)

* add azure china support Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * update changelog Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * fix lint Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> --------- Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
atiasn · Nov 1, 2023 · 66bfd8e · 66bfd8e
1 parent 66a81e6
commit 66bfd8e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,13 +8,15 @@
 
 ## Changes since v7.5.1
 
+- [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
+- [#2269](https://github.com/oauth2-proxy/oauth2-proxy/pull/2269) Added Azure China (and other air gaped cloud) support (@mblaschke)
 - [#2237](https://github.com/oauth2-proxy/oauth2-proxy/pull/2237) adds an option to append CA certificates (@emsixteeen)
 - [#2128](https://github.com/oauth2-proxy/oauth2-proxy/pull/2128) Update dependencies (@vllvll)
 - [#2274](https://github.com/oauth2-proxy/oauth2-proxy/pull/2274) Upgrade golang.org/x/net to v0.17.0 (@pierluigilenoci)
 - [#2282](https://github.com/oauth2-proxy/oauth2-proxy/pull/2282) Fixed checking Google Groups membership using Google Application Credentials (@kvanzuijlen)
 - [#2183](https://github.com/oauth2-proxy/oauth2-proxy/pull/2183) Allowing relative redirect url though an option
 - [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs)
-- 
+
 # V7.5.1
 
 ## Release Highlights

diff --git a/providers/azure.go b/providers/azure.go
@@ -12,6 +12,7 @@ import (
 	"golang.org/x/exp/slices"
 
 	"github.com/bitly/go-simplejson"
+
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
@@ -33,7 +34,6 @@ const (
 	azureProviderName           = "Azure"
 	azureDefaultScope           = "openid"
 	azureDefaultGraphGroupField = "id"
-	azureV2Scope                = "https://graph.microsoft.com/.default"
 )
 
 var (
@@ -90,15 +90,16 @@ func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider
 	isV2Endpoint := false
 	if strings.Contains(p.LoginURL.String(), "v2.0") {
 		isV2Endpoint = true
+		azureV2GraphScope := fmt.Sprintf("https://%s/.default", p.ProfileURL.Host)
 
 		if strings.Contains(p.Scope, " groups") {
 			logger.Print("WARNING: `groups` scope is not an accepted scope when using Azure OAuth V2 endpoint. Removing it from the scope list")
 			p.Scope = strings.ReplaceAll(p.Scope, " groups", "")
 		}
 
-		if !strings.Contains(p.Scope, " "+azureV2Scope) {
+		if !strings.Contains(p.Scope, " "+azureV2GraphScope) {
 			// In order to be able to query MS Graph we must pass the ms graph default endpoint
-			p.Scope += " " + azureV2Scope
+			p.Scope += " " + azureV2GraphScope
 		}
 
 		if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
@@ -118,12 +119,12 @@ func overrideTenantURL(current, defaultURL *url.URL, tenant, path string) {
 	if current == nil || current.String() == "" || current.String() == defaultURL.String() {
 		*current = url.URL{
 			Scheme: "https",
-			Host:   "login.microsoftonline.com",
+			Host:   current.Host,
 			Path:   "/" + tenant + "/oauth2/" + path}
 	}
 }
 
-func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL {
+func getMicrosoftGraphGroupsURL(profileURL *url.URL, graphGroupField string) *url.URL {
 
 	selectStatement := "$select=displayName,id"
 	if !slices.Contains([]string{"displayName", "id"}, graphGroupField) {
@@ -133,7 +134,7 @@ func getMicrosoftGraphGroupsURL(graphGroupField string) *url.URL {
 	// Select only security groups. Due to the filter option, count param is mandatory even if unused otherwise
 	return &url.URL{
 		Scheme:   "https",
-		Host:     "graph.microsoft.com",
+		Host:     profileURL.Host,
 		Path:     "/v1.0/me/transitiveMemberOf",
 		RawQuery: "$count=true&$filter=securityEnabled+eq+true&" + selectStatement,
 	}
@@ -368,7 +369,7 @@ func (p *AzureProvider) getGroupsFromProfileAPI(ctx context.Context, s *sessions
 		return nil, fmt.Errorf("missing access token")
 	}
 
-	groupsURL := getMicrosoftGraphGroupsURL(p.GraphGroupField).String()
+	groupsURL := getMicrosoftGraphGroupsURL(p.ProfileURL, p.GraphGroupField).String()
 
 	// Need and extra header while talking with MS Graph. For more context see
 	// https://docs.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=http#request-headers