Feature: Add support for EntraID in OIDC #1023
Comments
|
Thanks for the report, @spyr0-sec. We looked at this, and while that error message about supported scopes is accurate, additional effort is necessary to support EntraID for OIDC as their implementation requires additional functionality beyond the standards we wrote. We have some additional SSO functionality going into our next release (week of January 13th) and then we'll finish out the work necessary to get EntraID supported via OIDC. |
StephenHinck
added
enhancement
StephenHinck
changed the title
|
This is fixed with #1051. This will be included in next week's release! |
|
Hey @spyr0-sec - unfortunately, more work is required. We fixed the issue with the scopes that Microsoft doesn't support; however, they still have additional hurdles outside of that, which we need to account for. We will try again and hope to get it into our next release on the week of February 3rd. |
|
@StephenHinck no problem! Thank you for the update and all the teams efforts. |
Description:
The static OIDC configuration contains scopes which are not supported by EntraID and other identity providers
Are you intending to fix this bug?
No
Component(s) Affected:
Steps to Reproduce:
Expected Behavior:
The identity provider is correctly configured for SSO
Actual Behavior:
The Oauth config includes scopes which are not supported and therefore returns error messages
Screenshots/Code Snippets/Sample Files:
https://github.com/SpecterOps/BloodHound/blob/v6.3.0/cmd/api/src/api/v2/auth/oidc.go#L109
Environment Information:
BloodHound: v6.3.0
Additional Information:
For our identity provider, only
"openid", "profile", "email"are supported.As per slack thread, EntraID is complaining about the
email_verifiedscopePotential Solution (optional):
Make the configuration more customisable with the ability to select which scopes are required for the given IdP
Related Issues:
N/A
Contributor Checklist:
The text was updated successfully, but these errors were encountered: