Improve the Azure provider #3
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Setting the tenant makes sure the correct login url for single tenant app registrations gets used. Adding the OpenID Connect scopes allows access to more claims in the token, like the email claim, which is better for the email property of the user compared to the upn.
Other than other identity providers, Azure does not provide public urls to the profile pictures, because in many cases they will be private pictures of organization members. Grav only accepts urls to the picture from oauth2 identity providers, therefore this creates and returns a data url with a base64 encoded image.
The groups include transitive memberships. The first request to the Microsoft Graph API returns only the guids of the groups, therefore one additional request has to be made for each group to get the name. To make sure this doesn't slow down the login process for users with many group memberships, the requests are run in parallel by using Guzzle promises, because that's the library that the oauth2-client library by league uses. oauth2-client does not provide parallel requests though. It would be better if this logic would be implemented in the lower level libraries, but it works for now. Although it's already included as an indirect dependency, this adds guzzlehttp/promises as a direct dependency, because it's directly used.
|
Cheers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds or changes the following features:
Other than other identity providers, Azure does not provide public urls to the profile pictures, because in many cases they will be private pictures of organization members. Grav only accepts urls to the picture from oauth2 identity providers, therefore this creates and returns a data url with a base64 encoded image. I'm not sure if there's a better way for this, I couldn't find one to properly create a profile image from the provider in an easy way. There is also a problem with this when using the admin plugin, unless a url already includes a question mark, which these do not, it adds a size parameter for the sidebar image, which breaks the base64 data. See getgrav/grav-plugin-admin#1889.
The groups include transitive memberships. The first request to the Microsoft Graph API returns only the guids of the groups, therefore one additional request has to be made for each group to get the name. To make sure this doesn't slow down the login process for users with many group memberships, the requests are run in parallel by using Guzzle promises, because that's the library that the oauth2-client library by league uses. oauth2-client does not provide parallel requests though. It would be better if this logic would be implemented in the lower level libraries, but it works for now.
Important notes about the group syncronization: