From 6011ef8cfab5abc0dd634d762901005bf5be453f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=BCdaverdi=20Cakir?= <hudaverdi.cakir@datasophie.de>
Date: Mon, 27 Mar 2023 10:59:46 +0000
Subject: [PATCH] fix: support Microsoft Identity Platform v2 scopes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Hüdaverdi Cakir <hudaverdi.cakir@datasophie.de>
---
 connector/microsoft/microsoft.go      | 18 ++++++++----------
 connector/microsoft/microsoft_test.go |  2 +-
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
index 719b92de..31434945 100644
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@@ -32,11 +32,11 @@ const (
 )
 
 const (
-	// Microsoft requires this scope to access user's profile
-	scopeUser = "user.read"
-	// Microsoft requires this scope to list groups the user is a member of
-	// and resolve their ids to groups names.
-	scopeGroups = "directory.read.all"
+	// Microsoft requires the scopes to start with openid
+	scopeOpenID = "openid"
+	// Get the permissions configured on the application registration
+	// see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
+	scopeDefault = "https://graph.microsoft.com/.default"
 	// Microsoft requires this scope to return a refresh token
 	// see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access
 	scopeOfflineAccess = "offline_access"
@@ -59,7 +59,7 @@ type Config struct {
 	PromptType string `json:"promptType"`
 	DomainHint string `json:"domainHint"`
 
-	Scopes []string `json:"scopes"` // defaults to scopeUser (user.read)
+	Scopes []string `json:"scopes"` // defaults to scopeOpenID (openid)
 }
 
 // Open returns a strategy for logging in through Microsoft.
@@ -141,11 +141,9 @@ func (c *microsoftConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
 	if len(c.scopes) > 0 {
 		microsoftScopes = c.scopes
 	} else {
-		microsoftScopes = append(microsoftScopes, scopeUser)
-	}
-	if c.groupsRequired(scopes.Groups) {
-		microsoftScopes = append(microsoftScopes, scopeGroups)
+		microsoftScopes = append(microsoftScopes, scopeOpenID)
 	}
+	microsoftScopes = append(microsoftScopes, scopeDefault)
 
 	if scopes.OfflineAccess {
 		microsoftScopes = append(microsoftScopes, scopeOfflineAccess)
diff --git a/connector/microsoft/microsoft_test.go b/connector/microsoft/microsoft_test.go
index 67be660f..a0572283 100644
--- a/connector/microsoft/microsoft_test.go
+++ b/connector/microsoft/microsoft_test.go
@@ -48,7 +48,7 @@ func TestLoginURL(t *testing.T) {
 	expectEquals(t, queryParams.Get("client_id"), clientID)
 	expectEquals(t, queryParams.Get("redirect_uri"), testURL)
 	expectEquals(t, queryParams.Get("response_type"), "code")
-	expectEquals(t, queryParams.Get("scope"), "user.read")
+	expectEquals(t, queryParams.Get("scope"), "openid https://graph.microsoft.com/.default")
 	expectEquals(t, queryParams.Get("state"), testState)
 	expectEquals(t, queryParams.Get("prompt"), "")
 	expectEquals(t, queryParams.Get("domain_hint"), "")