Enable Azure AD v2 tokens

[simongottschlag]

Changes:

• Add oauth.azure_token (access_token and id_token are possible configurations)
• Use preferred_username if UPN is empty

Tries to fix: #314

[simongottschlag]

@bnfinet would it be possible to add the label “hacktoberfest-accepted” to this PR (if it’s accepted)?

[bnfinet]

@simongottschlag Sorry for the delay in reviewing. I should have some time over these next few days to pay attention to the outstanding PRs.

Is this no longer a viable solution? Was curious why you closed the PR.

[simongottschlag]

@bnfinet I was cleaning up all abandoned tasks and PRs I had 😊 I've reopened it again!

[xtra-be]

yes please merge, rather have this in main branch than maintain a custom build

[iamareuben]

I have pulled this code and tested it, but a bug was introduced into pkg/cfg/oauth.go during a merge (commit 2175fcb) where configureOauthClient() is no longer being called, which leads to a panic during login.

This is pretty straightforward to fix, but I can't fork a PR, and I'm not sure on the etiquette of just copying @simongottschlag changes into my own fork and submitting a PR. As it's only one line, it's a simple patch:

diff --git a/pkg/cfg/oauth.go b/pkg/cfg/oauth.go
index 40dc430..b3d2b08 100644
--- a/pkg/cfg/oauth.go
+++ b/pkg/cfg/oauth.go
@@ -143,6 +143,7 @@ func setProviderDefaults() {
                configureOAuthClient()
        } else if GenOAuth.Provider == Providers.Azure {
                setDefaultsAzure()
+               configureOAuthClient()
        } else if GenOAuth.Provider == Providers.IndieAuth {
                GenOAuth.CodeChallengeMethod = "S256"
                configureOAuthClient()

After that fix, the login flow works perfectly for Azure, both for guest users (fixing #314 ) and full tenant users. Full log with a simple example config is available at https://gist.github.com/iamareuben/540e1b0b170abab0f0df1a3807538967

Please note that for guest user login to work with this setup, an extra claim needs to be set up in the Azure AD portal for preferred_username (screenshot attached). As per your config.yml file, this can either be set up as a id_token or an access_token

Let me know if any further info is required to test out this PR. VP is an awesome piece of software which makes deploying internal web apps for my business super easy so I'm keen to contribute however I can.

[bnfinet]

thanks for the contribution and analysis @iamareuben

I'll add that patch to the PR, push to Simon's branch and then ask you to test again.

Thanks also for the kind words and the offer to help. Always appreciated.

[acm-073]

Also tested this PR, it works great. See log file here: https://gist.github.com/acm-073/c7d91bca67c882c1e22e2aa8b4499bc4

I would really be glad to see this merged.

[bnfinet]

Thanks @acm-073,

Just to clarify, you made the adjustment to the code that's suggested by @iamareuben prior to generating your log, is that correct?

[acm-073]

@bnfinet that change is already in git, see commit 6d8b79a

I just checked out HEAD of branch https://github.com/simongottschlag/vouch-proxy/tree/azureadv2 and used docker build to build the image.

[bnfinet]

merged!

@iamareuben @acm-073 @simongottschlag thanks all for the collective effort

[acm-073]

@bnfinet great, thanks!