From 89cdbc810d2e5560acd587612671325bddd26f39 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Tue, 5 Nov 2024 13:30:15 -0700 Subject: [PATCH] Specify scopes when making an SSO request Signed-off-by: David Mulder --- Cargo.toml | 2 +- src/common/src/idprovider/himmelblau.rs | 8 ++++---- src/daemon/src/broker.rs | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 3cb7dbd..2a3ca79 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,7 +39,7 @@ tracing-subscriber = "^0.3.17" tracing = "^0.1.37" himmelblau_unix_common = { path = "src/common" } kanidm_unix_common = { path = "src/glue" } -libhimmelblau = { version = "0.3.5" } +libhimmelblau = { version = "0.3.6" } clap = { version = "^4.5", features = ["derive", "env"] } clap_complete = "^4.4.1" reqwest = { version = "^0.12.2", features = ["json"] } diff --git a/src/common/src/idprovider/himmelblau.rs b/src/common/src/idprovider/himmelblau.rs index e8daf09..abbe4d8 100644 --- a/src/common/src/idprovider/himmelblau.rs +++ b/src/common/src/idprovider/himmelblau.rs @@ -604,7 +604,7 @@ impl IdProvider for HimmelblauProvider { .await .exchange_prt_for_access_token( &prt, - vec!["User.Read"], + vec![], Some("https://graph.microsoft.com".to_string()), tpm, machine_key, @@ -687,7 +687,7 @@ impl IdProvider for HimmelblauProvider { .await .acquire_token_by_refresh_token( &$token.refresh_token, - vec!["User.Read"], + vec![], Some("https://graph.microsoft.com".to_string()), tpm, machine_key, @@ -711,7 +711,7 @@ impl IdProvider for HimmelblauProvider { .await .acquire_token_by_refresh_token( &$token.refresh_token, - vec!["User.Read"], + vec![], Some("https://graph.microsoft.com".to_string()), tpm, machine_key, @@ -740,7 +740,7 @@ impl IdProvider for HimmelblauProvider { .acquire_token_by_hello_for_business_key( account_id, &$hello_key, - vec!["User.Read"], + vec![], Some("https://graph.microsoft.com".to_string()), tpm, machine_key, diff --git a/src/daemon/src/broker.rs b/src/daemon/src/broker.rs index e0874d9..68d71e6 100644 --- a/src/daemon/src/broker.rs +++ b/src/daemon/src/broker.rs @@ -89,10 +89,9 @@ impl HimmelblauBroker for Broker { if request.account.username.to_lowercase() != user.spn.to_lowercase() { return Err("Invalid request for user!".into()); } - let scopes = vec![]; let token = self .cachelayer - .get_user_accesstoken(Id::Name(user.spn), scopes) + .get_user_accesstoken(Id::Name(user.spn), request.auth_parameters.requested_scopes) .await .ok_or("Failed to authenticate user")?; let now = SystemTime::now()