connector/microsoft: add support for groups

Microsoft connector now provides support for 'groups' claim in case 'tenant' is configured in Dex config for the connector. It's possible to deny user authentication if the user is not a member of at least one configured groups. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-21 18:58:22 +03:00
parent 6193bf5566
commit 47df6ea2ff
2 changed files with 239 additions and 22 deletions
--- a/Documentation/microsoft-connector.md
+++ b/Documentation/microsoft-connector.md
@@ -11,6 +11,21 @@ Microsoft access and refresh tokens in its backing datastore.__ Users that
 reject dex's access through Microsoft will also revoke all dex clients which
 authenticated them through Microsoft.

+### Caveats
+
+`groups` claim in dex is only supported when `tenant` is specified in Microsoft
+connector config. In order for dex to be able to list groups on behalf of
+logged in user, an explicit organization administrator consent is required. To
+obtain the consent do the following:
+
+  - when registering dex application on https://apps.dev.microsoft.com add
+    an explicit `Directory.Read.All` permission to the list of __Delegated
+    Permissions__
+  - open the following link in your browser and log in under organization
+    administrator account:
+
+`https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<dex client id>`
+
 ## Configuration

 Register a new application on https://apps.dev.microsoft.com via `Add an app`
@@ -64,3 +79,34 @@ connectors:
      redirectURI: http://127.0.0.1:5556/dex/callback
      tenant: organizations
 ```
+
+### Groups
+
+When the `groups` claim is present in a request to dex __and__ `tenant` is
+configured, dex will query Microsoft API to obtain a list of groups the user is
+a member of. `onlySecurityGroups` configuration option restricts the list to
+include only security groups. By default all groups (security, Office 365,
+mailing lists) are included.
+
+It is possible to require a user to be a member of a particular group in order
+to be successfully authenticated in dex. For example, with the following
+configuration file only the users who are members of at least one of the listed
+groups will be able to successfully authenticate in dex:
+
+```yaml
+connectors:
+  - type: microsoft
+    # Required field for connector id.
+    id: microsoft
+    # Required field for connector name.
+    name: Microsoft
+    config:
+      # Credentials can be string literals or pulled from the environment.
+      clientID: $MICROSOFT_APPLICATION_ID
+      clientSecret: $MICROSOFT_CLIENT_SECRET
+      redirectURI: http://127.0.0.1:5556/dex/callback
+      tenant: myorg.onmicrosoft.com
+      groups:
+        - developers
+        - devops
+```