Merge pull request #1379 from small1/entraid

julien-nc · web-flow · commit 0d4cddcc5e6e · 2026-03-22T23:41:31.000+01:00
Allow usage of Microsoft graph to lookup guid to group names on EntraID
diff --git a/README.md b/README.md
@@ -431,6 +431,16 @@ The following formats are supported for the groups claim:
 * Array of group name strings: `"groups": ["group1", "group2", "group3"]`
 * Object with name and id: `"groups": [{ "gid": "id1", "displayName": "group1" }, ...]`
 
+### EntraID and Microsoft graph
+
+If using EntraID an option to turn on group name lookups via Microsoft Graph. It will loop through all guid a user has and store the names of the groups in Nextcloud.
+
+This can be done in the graphical settings for the provider by with the occ command to create/update providers:
+
+```
+sudo -u www-data php occ user_oidc:provider demoprovider --entraid-group-names=1
+```
+
 ### Disable audience and azp checks
 
 The `audience` and `azp` token claims will be checked when validating a login ID token.
diff --git a/lib/Command/UpsertProvider.php b/lib/Command/UpsertProvider.php
@@ -155,6 +155,10 @@ class UpsertProvider extends Base {
 			'shortcut' => null, 'mode' => InputOption::VALUE_REQUIRED, 'setting_key' => ProviderService::SETTING_MAPPING_GROUPS,
 			'description' => 'Attribute mapping of the groups',
 		],
+		'entraid-group-names' => [
+			'shortcut' => null, 'mode' => InputOption::VALUE_REQUIRED, 'setting_key' => ProviderService::SETTING_AZURE_GROUP_NAMES,
+			'description' => 'Turn on usage of mapping guid to names with Microsoft Graph. 1 to enable, 0 to disable (default)',
+		],
 		'resolve-nested-claims' => [
 			'shortcut' => null,
 			'mode' => InputOption::VALUE_REQUIRED,
diff --git a/lib/Service/ProviderService.php b/lib/Service/ProviderService.php
@@ -59,6 +59,7 @@ class ProviderService {
 	public const SETTING_GROUP_PROVISIONING = 'groupProvisioning';
 	public const SETTING_GROUP_WHITELIST_REGEX = 'groupWhitelistRegex';
 	public const SETTING_RESTRICT_LOGIN_TO_GROUPS = 'restrictLoginToGroups';
+	public const SETTING_AZURE_GROUP_NAMES = 'azureGroupNames';
 	public const SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING = 'nestedAndFallbackClaims';
 
 	public const BOOLEAN_SETTINGS_DEFAULT_VALUES = [
@@ -69,6 +70,7 @@ class ProviderService {
 		self::SETTING_CHECK_BEARER => false,
 		self::SETTING_SEND_ID_TOKEN_HINT => false,
 		self::SETTING_RESTRICT_LOGIN_TO_GROUPS => false,
+		self::SETTING_AZURE_GROUP_NAMES => false,
 		self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING => false,
 	];
 
@@ -191,6 +193,7 @@ public function getSupportedSettings(): array {
 			self::SETTING_GROUP_PROVISIONING,
 			self::SETTING_GROUP_WHITELIST_REGEX,
 			self::SETTING_RESTRICT_LOGIN_TO_GROUPS,
+			self::SETTING_AZURE_GROUP_NAMES,
 			self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING,
 		];
 	}
diff --git a/lib/Service/ProvisioningService.php b/lib/Service/ProvisioningService.php
@@ -11,6 +11,7 @@
 use Locale;
 use OC\Accounts\AccountManager;
 use OCA\UserOIDC\AppInfo\Application;
+use OCA\UserOIDC\Db\ProviderMapper;
 use OCA\UserOIDC\Db\UserMapper;
 use OCA\UserOIDC\Event\AttributeMappedEvent;
 use OCP\Accounts\IAccountManager;
@@ -29,6 +30,7 @@
 use OCP\IUserManager;
 use OCP\L10N\IFactory;
 use OCP\PreConditionNotMetException;
+use OCP\Security\ICrypto;
 use OCP\User\Events\UserChangedEvent;
 use Psr\Log\LoggerInterface;
 use Throwable;
@@ -49,6 +51,8 @@ public function __construct(
 		private IConfig $config,
 		private ISession $session,
 		private IFactory $l10nFactory,
+		private ProviderMapper $providerMapper,
+		private ICrypto $crypto,
 	) {
 	}
 
@@ -588,6 +592,18 @@ public function getSyncGroupsOfToken(int $providerId, object $idTokenPayload): ?
 			}
 			$syncGroups = [];
 
+			$token = null;
+			$tenant = null;
+			if ($this->providerService->getSetting($providerId, ProviderService::SETTING_AZURE_GROUP_NAMES, '0') === '1') {
+				$azureGroupSyncContext = $this->getAzureGroupSyncContext($providerId);
+				if ($azureGroupSyncContext === null) {
+					return null;
+				}
+
+				$tenant = $azureGroupSyncContext['tenant'];
+				$token = $azureGroupSyncContext['token'];
+			}
+
 			foreach ($groups as $k => $v) {
 				if (is_object($v)) {
 					// Handle array of objects, e.g. [{gid: "1", displayName: "group1"}, ...]
@@ -614,8 +630,14 @@ public function getSyncGroupsOfToken(int $providerId, object $idTokenPayload): ?
 					}
 				}
 
-				$group->gid = $this->idService->getId($providerId, $group->gid);
-
+				if ($this->providerService->getSetting($providerId, ProviderService::SETTING_AZURE_GROUP_NAMES, '0') === '1' && is_string($v)) {
+					$group = $this->getAzureGroupWithResolvedName($providerId, $tenant, $token, $v);
+					if ($group === null) {
+						continue;
+					}
+				} else {
+					$group->gid = $this->idService->getId($providerId, $group->gid);
+				}
 				$syncGroups[] = $group;
 			}
 
@@ -625,6 +647,105 @@ public function getSyncGroupsOfToken(int $providerId, object $idTokenPayload): ?
 		return null;
 	}
 
+	/**
+	 * @return array{tenant: string, token: string}|null
+	 */
+	private function getAzureGroupSyncContext(int $providerId): ?array {
+		$provider = $this->providerMapper->getProvider($providerId);
+		$url = $provider->getDiscoveryEndpoint();
+		$tenant = explode('//', $url);
+		$tenant = count($tenant) === 1 ? $tenant[0] : $tenant[1];
+		$tenant = explode('/', $tenant);
+		if (count($tenant) === 1) {
+			$this->logger->error('Could not figure out the tenant id. (Is the discovery endpoint formatted properly?) Will not sync groups');
+			return null;
+		}
+		$tenant = $tenant[1];
+
+		$client = $this->clientService->newClient();
+		try {
+			$response = $client->post("https://login.microsoftonline.com/$tenant/oauth2/v2.0/token", [
+				'headers' => [ 'Accept' => 'application/json' ],
+				'form_params' => [
+					'client_id' => $provider->getClientId(),
+					'scope' => 'https://graph.microsoft.com/.default',
+					'client_secret' => $this->crypto->decrypt($provider->getClientSecret()),
+					'grant_type' => 'client_credentials'
+				],
+				'http_errors' => false
+			]);
+		} catch (\Exception $e) {
+			$this->logger->error($e->getMessage());
+			return null;
+		}
+
+		$res = $response->getBody();
+		if (!is_string($res)) {
+			$this->logger->error('Could not fetch Bearer token for Microsoft Graph. Will not sync groups');
+			return null;
+		}
+
+		$res = json_decode($res, true);
+		if (empty($res) || empty($res['access_token']) || !is_string($res['access_token'])) {
+			$this->logger->error('Could not fetch Bearer token for Microsoft Graph. Will not sync groups');
+			return null;
+		}
+
+		return [
+			'tenant' => $tenant,
+			'token' => $res['access_token'],
+		];
+	}
+
+	private function getAzureGroupWithResolvedName(int $providerId, string $tenant, string $token, string $groupId): ?object {
+		$client = $this->clientService->newClient();
+		try {
+			$response = $client->get(
+				"https://graph.microsoft.com/v1.0/$tenant/groups/" . $groupId,
+				[ 'headers' => [ 'Accept' => 'application/json', 'Authorization' => "Bearer $token" ], 'http_errors' => false ]
+			);
+		} catch (\Exception $e) {
+			$this->logger->error($e->getMessage());
+			return null;
+		}
+
+		$res = $response->getBody();
+		if (!is_string($res)) {
+			$this->logger->error('No response from Microsoft Graph while fetching group name. Will not sync the group ' . $groupId);
+			return null;
+		}
+
+		$res = json_decode($res, true); // https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http#response-1
+		if (isset($res['error'])) {
+			$errorMessage = !empty($res['error']['message']) && is_string($res['error']['message']) ? $res['error']['message'] : '';
+			$this->logger->error('Error response from Microsoft Graph while fetching group name. Will not sync the group ' . $groupId . '. Graph said: ' . $errorMessage);
+			return null;
+		}
+
+		if (empty($res['displayName'])) {
+			$this->logger->error('Empty response from Microsoft Graph while fetching group name. Will not sync the group ' . $groupId);
+			return null;
+		}
+
+		$group = (object)['gid' => $res['displayName']];
+		if ($this->providerService->getSetting($providerId, ProviderService::SETTING_PROVIDER_BASED_ID, '0') === '1') {
+			$providerName = $this->providerMapper->getProvider($providerId)->getIdentifier();
+			$group->gid = $providerName . '-' . $group->gid;
+		}
+
+		if (strlen($group->gid) > 64) {
+			$this->logger->warning('Group id ' . $group->gid . ' longer than supported. Group id truncated.');
+			$group->displayName = $group->gid;
+			$group->gid = substr($group->gid, 0, 64);
+			if (strlen($group->displayName) > 255) {
+				$this->logger->warning('Group name ' . $group->displayName . ' longer than supported. Group name truncated.');
+				$group->displayName = substr($group->displayName, 0, 255);
+			}
+		}
+
+		return $group;
+	}
+
 	public function provisionUserGroups(IUser $user, int $providerId, object $idTokenPayload): ?array {
 		$groupsWhitelistRegex = $this->getGroupWhitelistRegex($providerId);
 
diff --git a/tests/unit/Service/ProviderServiceTest.php b/tests/unit/Service/ProviderServiceTest.php
@@ -97,6 +97,7 @@ public function testGetProvidersWithSettings() {
 					'groupProvisioning' => true,
 					'groupWhitelistRegex' => '1',
 					'restrictLoginToGroups' => true,
+					'azureGroupNames' => true,
 					'nestedAndFallbackClaims' => true,
 				],
 			],
@@ -143,6 +144,7 @@ public function testGetProvidersWithSettings() {
 					'groupProvisioning' => true,
 					'groupWhitelistRegex' => '1',
 					'restrictLoginToGroups' => true,
+					'azureGroupNames' => true,
 					'nestedAndFallbackClaims' => true,
 				],
 			],
@@ -185,6 +187,7 @@ public function testSetSettings() {
 			'mappingBirthdate' => 'birthdate',
 			'groupWhitelistRegex' => '',
 			'restrictLoginToGroups' => false,
+			'azureGroupNames' => false,
 			'nestedAndFallbackClaims' => false,
 		];
 		$this->appConfig->expects(self::any())
@@ -224,6 +227,7 @@ public function testSetSettings() {
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_GROUP_PROVISIONING, '', true, '1'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_GROUP_WHITELIST_REGEX, '', true, ''],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_RESTRICT_LOGIN_TO_GROUPS, '', true, '0'],
+				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_AZURE_GROUP_NAMES, '', true, '0'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING, '', true, '0'],
 			]);
 
diff --git a/tests/unit/Service/ProvisioningServiceTest.php b/tests/unit/Service/ProvisioningServiceTest.php
@@ -5,6 +5,7 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+use OCA\UserOIDC\Db\ProviderMapper;
 use OCA\UserOIDC\Db\User;
 use OCA\UserOIDC\Db\UserMapper;
 use OCA\UserOIDC\Service\LocalIdService;
@@ -23,6 +24,7 @@
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\L10N\IFactory;
+use OCP\Security\ICrypto;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -88,6 +90,12 @@ class ProvisioningServiceTest extends TestCase {
 	 */
 	private $l10nFactory;
 
+	/** @var ProviderMapper | MockObject */
+	private $providerMapper;
+
+	/** @var ICrypto | MockObject */
+	private $crypto;
+
 	public function setUp(): void {
 		parent::setUp();
 		$this->idService = $this->createMock(LocalIdService::class);
@@ -103,6 +111,8 @@ public function setUp(): void {
 		$this->avatarManager = $this->createMock(IAvatarManager::class);
 		$this->session = $this->createMock(ISession::class);
 		$this->l10nFactory = $this->createMock(IFactory::class);
+		$this->providerMapper = $this->createMock(ProviderMapper::class);
+		$this->crypto = $this->createMock(ICrypto::class);
 
 		$this->provisioningService = new ProvisioningService(
 			$this->idService,
@@ -118,6 +128,8 @@ public function setUp(): void {
 			$this->config,
 			$this->session,
 			$this->l10nFactory,
+			$this->providerMapper,
+			$this->crypto,
 		);
 	}
 
@@ -481,6 +493,7 @@ public function testProvisionUserGroups(string $gid, string $displayName, object
 			->willReturnMap([
 				[$providerId, ProviderService::SETTING_GROUP_WHITELIST_REGEX, '', $group_whitelist],
 				[$providerId, ProviderService::SETTING_MAPPING_GROUPS, 'groups', 'groups'],
+				[$providerId, ProviderService::SETTING_AZURE_GROUP_NAMES, '0', '0'],
 				[$providerId, ProviderService::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING, '0', '0'],
 			]);
 
