Allow azure providers to use a configured tenant and graph API (#12852)

* Add tenant to azure form

* Use graph_api and tenant options to azure

* bump providers gem

---------

Co-authored-by: Markus Kahl <machisuji@gmail.com>

Gemfile.lock

@@ -44,8 +44,8 @@ GIT
 
 GIT
   remote: https://github.com/opf/omniauth-openid_connect-providers.git
-  revision: a6c0c3ed78fac79cf4d007e40d4029e524ec7751
-  ref: a6c0c3ed78fac79cf4d007e40d4029e524ec7751
+  revision: 7559f44e70203f94572a90e1b4d1d1f8279cd40f
+  ref: 7559f44e70203f94572a90e1b4d1d1f8279cd40f
   specs:
     omniauth-openid_connect-providers (0.2.0)
       omniauth-openid-connect (>= 0.2.1)

Gemfile.modules

@@ -10,7 +10,7 @@ end
 
 gem 'omniauth-openid_connect-providers',
     git: 'https://github.com/opf/omniauth-openid_connect-providers.git',
-    ref: 'a6c0c3ed78fac79cf4d007e40d4029e524ec7751'
+    ref: '7559f44e70203f94572a90e1b4d1d1f8279cd40f'
 
 gem 'omniauth-openid-connect',
     git: 'https://github.com/opf/omniauth-openid-connect.git',

docs/system-admin-guide/authentication/openid-providers/README.md

@@ -165,7 +165,13 @@ At the end of this step, you should have a copy of the Application client ID as
 
 ### Step 2: Configure OpenProject
 
-Now, head over to OpenProject > Administration > OpenID providers. Click on "New OpenID provider", select the Azure type, enter the client ID and client Secret and then Save.
+Now, head over to OpenProject > Administration > OpenID providers. Click on "New OpenID provider", select the Azure type, enter the client ID and client Secret.
+
+By default, OpenProject will use the Microsoft Graph API endpoint to perform userinfo requests.
+For that, you will need to enter the correct tenant identifier for your Azure instance.
+To find the correct value for your instance, [please see this guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri).
+
+Once you filled out the form, hit save and the Azure provider has been created.
 
 You can now log out, and see that the login form displays a badge for authenticating with Azure. If you click on that badge, you will be redirected to Azure to enter your credentials and allow the App to access your Azure profile, and you should then be automatically logged in.
 

frontend/src/stimulus/controllers/dynamic/admin/openid-connect-providers.controller.ts

@@ -0,0 +1,18 @@
+import { Controller } from '@hotwired/stimulus';
+
+export default class OpenidConnectProvidersController extends Controller {
+  static targets = [
+    'azureForm',
+  ];
+
+  declare readonly azureFormTarget:HTMLElement;
+
+  public updateTypeForm(evt:InputEvent) {
+    const name = (evt.target as HTMLInputElement).value;
+    this.azureFormTarget.hidden = name !== 'azure';
+    this
+      .azureFormTarget
+      .querySelectorAll('input')
+      .forEach((el) => (el.disabled = this.azureFormTarget.hidden));
+  }
+}

modules/openid_connect/app/controllers/openid_connect/providers_controller.rb

@@ -13,7 +13,7 @@ module OpenIDConnect
       if openid_connect_providers_available_for_configure.none?
         redirect_to action: :index
       else
-        @provider = ::OpenIDConnect::Provider.initialize_with({})
+        @provider = ::OpenIDConnect::Provider.initialize_with({ use_graph_api: true })
       end
     end
 
@@ -62,11 +62,15 @@ module OpenIDConnect
     end
 
     def create_params
-      params.require(:openid_connect_provider).permit(:name, :display_name, :identifier, :secret, :limit_self_registration)
+      params
+        .require(:openid_connect_provider)
+        .permit(:name, :display_name, :identifier, :secret, :limit_self_registration, :tenant, :use_graph_api)
     end
 
     def update_params
-      params.require(:openid_connect_provider).permit(:display_name, :identifier, :secret, :limit_self_registration)
+      params
+        .require(:openid_connect_provider)
+        .permit(:display_name, :identifier, :secret, :limit_self_registration, :tenant, :use_graph_api)
     end
 
     def find_provider

modules/openid_connect/app/models/openid_connect/provider.rb

@@ -21,6 +21,9 @@ module OpenIDConnect
     delegate :scope, to: :omniauth_provider, allow_nil: true
     delegate :to_h, to: :omniauth_provider, allow_nil: false
 
+    delegate :tenant, to: :omniauth_provider, allow_nil: false
+    delegate :use_graph_api, to: :omniauth_provider, allow_nil: false
+
     ##
     # Controls whether or not self registration shall be limited for this provider.
     #

modules/openid_connect/app/views/openid_connect/providers/_azure_form.html.erb

@@ -0,0 +1,21 @@
+<% if (@provider.new_record? && !providers.map(&:name).include?('azure')) || @provider.name == 'azure' %>
+  <%= content_tag :fieldset,
+                  class: 'form--fieldset',
+                  data: {
+                    'admin--openid-connect-providers-target': 'azureForm',
+                  },
+                  hidden: @provider.name.present? && @provider.name != 'azure' do %>
+    <div class="form--field">
+      <%= f.text_field :tenant, required: true, container_class: '-middle' %>
+      <div class="form--field-instructions">
+        <%= t('openid_connect.setting_instructions.azure_tenant_html') %>
+      </div>
+    </div>
+    <div class="form--field">
+      <%= f.check_box :use_graph_api, container_class: '-middle' %>
+      <div class="form--field-instructions">
+        <%= t('openid_connect.setting_instructions.azure_graph_api') %>
+      </div>
+    </div>
+  <% end %>
+<% end %>

modules/openid_connect/app/views/openid_connect/providers/_form.html.erb

@@ -1,12 +1,14 @@
 <fieldset class="form--fieldset">
-  <% unless f.object.persisted? -%>
+  <% unless @provider.persisted? -%>
     <div class="form--field -required">
       <%= f.collection_select :name,
-        openid_connect_providers_available_for_configure,
-        :to_s,
-        :capitalize,
-        required: true,
-        container_class: '-middle'
+                              openid_connect_providers_available_for_configure,
+                              :to_s,
+                              :capitalize,
+                              { container_class: '-middle', required: true },
+                              data: {
+                                'action': 'admin--openid-connect-providers#updateTypeForm'
+                              }
       %>
     </div>
   <% end -%>
@@ -30,3 +32,4 @@
     </div>
   </div>
 </fieldset>
+<%= render partial: 'azure_form', locals: { f: } %>

modules/openid_connect/app/views/openid_connect/providers/new.html.erb

@@ -5,6 +5,9 @@
 
 <%= error_messages_for @provider %>
 
+<% content_controller 'admin--openid-connect-providers',
+                      dynamic: true %>
+
 <%= labelled_tabular_form_for @provider,
                               html: { class: 'form', autocomplete: 'off' } do |f| %>
   <%= render partial: "form", locals: { f: f } %>

modules/openid_connect/config/locales/en.yml

@@ -20,5 +20,10 @@ en:
       plural: OpenID providers
       singular: OpenID provider
     setting_instructions:
+      azure_graph_api: >
+        Use the graph.microsoft.com userinfo endpoint to request userdata. This should be the default unless you have an older azure application.
+      azure_tenant_html: >
+        Set the tenant of your Azure endpoint. This will control who gets access to the OpenProject instance.
+        For more information, please see <a href="https://www.openproject.org/docs/system-admin-guide/authentication/openid-providers/#azure-active-directory">our user guide on Azure OpenID connect</a>.
       limit_self_registration: >
         If enabled users can only register using this provider if the self registration setting allows for it.