OIDC: Add support for Microsoft Entra ID security groups #5334

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-11 16:24:11 +01:00 · 2025-11-23 16:04:25 +01:00
parent 73fa8fb86f
commit 5f0ade87f5
8 changed files with 380 additions and 6 deletions
--- a/internal/api/oidc_redirect.go
+++ b/internal/api/oidc_redirect.go
@@ -98,6 +98,47 @@ func OIDCRedirect(router *gin.RouterGroup) {
 			return
 		}
 		groupClaim := conf.OIDCGroupClaim()
 		var idTokenClaims map[string]any
 		if tokens != nil && tokens.IDTokenClaims != nil {
 			idTokenClaims = tokens.IDTokenClaims.Claims
 		}
 		groups, groupOverage := oidc.GroupsFromClaims(idTokenClaims, groupClaim)
 		moreGroups, moreOverage := oidc.GroupsFromClaims(userInfo.Claims, groupClaim)
 		if len(groups) == 0 && len(moreGroups) > 0 {
 			groups = moreGroups
 		}
 		if moreOverage {
 			groupOverage = true
 		}
 		requiredGroups := conf.OIDCGroup()
 		if len(requiredGroups) > 0 {
 			switch {
 			case groupOverage && len(groups) == 0:
 				message := "group claim overage; cannot validate required groups"
 				event.AuditErr([]string{clientIp, "create session", "oidc", message})
 				event.LoginError(clientIp, "oidc", userName, userAgent, message)
 				c.HTML(http.StatusUnauthorized, "auth.gohtml", CreateSessionError(http.StatusUnauthorized, i18n.Error(i18n.ErrForbidden)))
 				return
 			case !oidc.HasAnyGroup(groups, requiredGroups):
 				message := "missing required group membership"
 				event.AuditErr([]string{clientIp, "create session", "oidc", message})
 				event.LoginError(clientIp, "oidc", userName, userAgent, message)
 				c.HTML(http.StatusUnauthorized, "auth.gohtml", CreateSessionError(http.StatusUnauthorized, i18n.Error(i18n.ErrForbidden)))
 				return
 			}
 		}
 		mappedRole, hasMappedRole := oidc.MapGroupsToRole(groups, conf.OIDCGroupRoles())
 		defaultRole := conf.OIDCRole()
 		// Step 1: Create user account if it does not exist yet.
 		var user *entity.User
 		var err error
@@ -216,6 +257,10 @@ func OIDCRedirect(router *gin.RouterGroup) {
 				user.VerifiedAt = entity.TimeStamp()
 			}
 			if hasMappedRole && !user.HasRole(mappedRole) {
 				user.SetRole(mappedRole.String())
 			}
 			// Update Subject ID and Issuer URI.
 			user.SetAuthID(userInfo.Subject, provider.Issuer())
@@ -294,7 +339,11 @@ func OIDCRedirect(router *gin.RouterGroup) {
 			}
 			// Set user role and permissions.
-			user.SetRole(conf.OIDCRole().String())
+			if hasMappedRole {
 				user.SetRole(mappedRole.String())
 			} else {
 				user.SetRole(defaultRole.String())
 			}
 			user.CanLogin = true
 			user.WebDAV = conf.OIDCWebDAV()
--- a/internal/auth/oidc/README.md
+++ b/internal/auth/oidc/README.md
@@ -53,14 +53,16 @@
 ### Security Group Extension for Entra ID
- [ ] Parse `groups` claim (string GUIDs) from ID/Access tokens and map to roles using a configurable mapping, mirroring LDAP group handling.
+- [x] Parse `groups` claim (string GUIDs) from ID/Access tokens and map to roles using a configurable mapping, mirroring LDAP group handling.
- [ ] Detect `_claim_names.groups` overage markers; optionally fetch memberships from Microsoft Graph (`/me/transitiveMemberOf`) behind a feature flag and enforced timeouts.
+- [x] Detect `_claim_names.groups` overage markers; optionally fetch memberships from Microsoft Graph (`/me/transitiveMemberOf`) behind a feature flag and enforced timeouts.
- [ ] Keep `roles`/`wids` (app and directory roles) separate from security groups; document precedence.
+- [x] Keep `roles`/`wids` (app and directory roles) separate from security groups; document precedence.
- [ ] Add unit tests with signed JWT fixtures covering: direct `groups` array, overage marker, and no-groups fallback.
+- [x] Add unit tests with signed JWT fixtures covering: direct `groups` array, overage marker, and no-groups fallback.
 - [x] Expose config knobs (e.g., `AuthOIDCGroupsToRoles`, Graph fetch enable/disable, request timeout) and surface them in CLI/`options.yml` reports.
 - [ ] Add integration doc/tests for Entra app registration requirements (`groupMembershipClaims=SecurityGroup|All|ApplicationGroup`) and token size limits (~200 groups).
 - [ ] Expose config knobs (e.g., `AuthOIDCGroupsToRoles`, Graph fetch enable/disable, request timeout) and surface them in CLI/`options.yml` reports.
 - [ ] Update Pro parity notes so LDAP and OIDC group mappings share helpers and behavior.
 > **Note:** Entra ID security groups are only supported in PhotoPrism® Pro, so the related configuration flags are hidden in other editions.
 #### Related Resources & Specs
 - Microsoft Entra group claims: https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#groups-claim
--- a/internal/auth/oidc/groups.go
+++ b/internal/auth/oidc/groups.go
@@ -0,0 +1,129 @@
 package oidc
 import (
 	"strings"
 	"github.com/photoprism/photoprism/internal/auth/acl"
 	"github.com/photoprism/photoprism/pkg/clean"
 )
 // NormalizeGroupID lowercases and sanitizes a group identifier (GUID or name).
 func NormalizeGroupID(id string) string {
 	return strings.ToLower(clean.Auth(id))
 }
 // GroupsFromClaims extracts group identifiers from token or userinfo claims and detects Entra-style overage markers.
 func GroupsFromClaims(claims map[string]any, claimName string) (groups []string, overage bool) {
 	if len(claims) == 0 {
 		return nil, false
 	}
 	if claimName == "" {
 		claimName = "groups"
 	}
 	if raw, ok := claims[claimName]; ok {
 		groups = append(groups, normalizeGroupValues(raw)...)
 	}
 	if raw, ok := claims["_claim_names"]; ok {
 		if names, ok := raw.(map[string]any); ok {
 			if _, ok := names[claimName]; ok {
 				overage = true
 			}
 		}
 	}
 	return uniqueGroups(groups), overage
 }
 // MapGroupsToRole returns the first matching role for the provided groups using the supplied mapping.
 func MapGroupsToRole(groups []string, mapping map[string]acl.Role) (acl.Role, bool) {
 	if len(groups) == 0 || len(mapping) == 0 {
 		return acl.RoleNone, false
 	}
 	for _, g := range uniqueGroups(groups) {
 		if role, ok := mapping[g]; ok && role != acl.RoleNone {
 			return role, true
 		}
 	}
 	return acl.RoleNone, false
 }
 // HasAnyGroup returns true when at least one of the user's groups matches a required group.
 func HasAnyGroup(groups []string, required []string) bool {
 	if len(required) == 0 {
 		return true
 	}
 	normalized := make(map[string]struct{}, len(uniqueGroups(groups)))
 	for _, g := range uniqueGroups(groups) {
 		normalized[g] = struct{}{}
 	}
 	for _, r := range required {
 		if _, ok := normalized[NormalizeGroupID(r)]; ok {
 			return true
 		}
 	}
 	return false
 }
 func normalizeGroupValues(raw any) []string {
 	switch v := raw.(type) {
 	case []string:
 		return normalizeGroupSlice(v)
 	case []any:
 		result := make([]string, 0, len(v))
 		for _, s := range v {
 			if val, ok := s.(string); ok {
 				result = append(result, val)
 			}
 		}
 		return normalizeGroupSlice(result)
 	case string:
 		return normalizeGroupSlice([]string{v})
 	default:
 		return nil
 	}
 }
 // normalizeGroupSlice sanitizes and lowercases each group identifier in the provided slice.
 func normalizeGroupSlice(values []string) []string {
 	result := make([]string, 0, len(values))
 	for _, v := range values {
 		if n := NormalizeGroupID(v); n != "" {
 			result = append(result, n)
 		}
 	}
 	return result
 }
 // uniqueGroups returns a deduplicated, normalized list of group identifiers.
 func uniqueGroups(values []string) []string {
 	if len(values) == 0 {
 		return nil
 	}
 	seen := make(map[string]struct{}, len(values))
 	result := make([]string, 0, len(values))
 	for _, v := range normalizeGroupSlice(values) {
 		if _, ok := seen[v]; ok {
 			continue
 		}
 		seen[v] = struct{}{}
 		result = append(result, v)
 	}
 	return result
 }
--- a/internal/auth/oidc/groups_test.go
+++ b/internal/auth/oidc/groups_test.go
@@ -0,0 +1,53 @@
 package oidc
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/photoprism/photoprism/internal/auth/acl"
 )
 func TestGroupsFromClaims(t *testing.T) {
 	claims := map[string]any{
 		"groups": []any{"ABC-123", "def-456", 7},
 	}
 	groups, overage := GroupsFromClaims(claims, "groups")
 	assert.False(t, overage)
 	assert.Equal(t, []string{"abc-123", "def-456"}, groups)
 }
 func TestGroupsFromClaimsOverage(t *testing.T) {
 	claims := map[string]any{
 		"_claim_names": map[string]any{
 			"groups": "src1",
 		},
 	}
 	groups, overage := GroupsFromClaims(claims, "groups")
 	assert.True(t, overage)
 	assert.Nil(t, groups)
 }
 func TestMapGroupsToRole(t *testing.T) {
 	mapping := map[string]acl.Role{
 		"abc-123": acl.RoleAdmin,
 		"def-456": acl.RoleGuest,
 	}
 	role, ok := MapGroupsToRole([]string{"zzz", "DEF-456"}, mapping)
 	assert.True(t, ok)
 	assert.Equal(t, acl.RoleGuest, role)
 }
 func TestHasAnyGroup(t *testing.T) {
 	required := []string{"abc-123", "def-456"}
 	assert.True(t, HasAnyGroup([]string{"ABC-123"}, required))
 	assert.False(t, HasAnyGroup([]string{"zzz"}, required))
 	assert.True(t, HasAnyGroup([]string{"zzz"}, nil))
 }
--- a/internal/config/config_oidc.go
+++ b/internal/config/config_oidc.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
 	"sort"
 	"strings"
 	"unicode/utf8"
@@ -133,6 +134,62 @@ func (c *Config) OIDCUsername() string {
 	}
 }
 // OIDCGroupClaim returns the claim name that should contain security group identifiers.
 func (c *Config) OIDCGroupClaim() string {
 	if claim := strings.TrimSpace(c.options.OIDCGroupClaim); claim != "" {
 		return claim
 	}
 	return "groups"
 }
 // OIDCGroup returns the normalized list of required groups; empty means no group check.
 func (c *Config) OIDCGroup() []string {
 	if len(c.options.OIDCGroup) == 0 {
 		return nil
 	}
 	result := make([]string, 0, len(c.options.OIDCGroup))
 	for _, g := range c.options.OIDCGroup {
 		if n := normalizeGroupID(g); n != "" {
 			result = append(result, n)
 		}
 	}
 	return result
 }
 // OIDCGroupRoles maps normalized group identifiers to roles.
 func (c *Config) OIDCGroupRoles() map[string]acl.Role {
 	result := make(map[string]acl.Role, len(c.options.OIDCGroupRole))
 	for _, entry := range c.options.OIDCGroupRole {
 		entry = strings.TrimSpace(entry)
 		if entry == "" {
 			continue
 		}
 		sep := strings.IndexAny(entry, "=:")
 		if sep < 1 || sep >= len(entry)-1 {
 			continue
 		}
 		group := normalizeGroupID(entry[:sep])
 		role := acl.ParseRole(entry[sep+1:])
 		if group == "" || role == acl.RoleNone {
 			continue
 		}
 		result[group] = role
 	}
 	return result
 }
 // OIDCDomain returns the email domain name for restricted single sign-on via OIDC.
 func (c *Config) OIDCDomain() string {
 	return clean.Domain(c.options.OIDCDomain)
@@ -193,6 +250,25 @@ func (c *Config) OIDCReport() (rows [][]string, cols []string) {
 		rows = append(rows, []string{"oidc-domain", domain})
 	}
 	if claim := c.OIDCGroupClaim(); claim != "" {
 		rows = append(rows, []string{"oidc-group-claim", claim})
 	}
 	if groups := c.OIDCGroup(); len(groups) > 0 {
 		rows = append(rows, []string{"oidc-group", strings.Join(groups, ",")})
 	}
 	if roles := c.OIDCGroupRoles(); len(roles) > 0 {
 		pairs := make([]string, 0, len(roles))
 		for g, r := range roles {
 			pairs = append(pairs, fmt.Sprintf("%s=%s", g, r))
 		}
 		sort.Strings(pairs)
 		rows = append(rows, []string{"oidc-group-role", strings.Join(pairs, ",")})
 	}
 	rows = append(rows, [][]string{
 		{"oidc-role", c.OIDCRole().String()},
 		{"oidc-webdav", fmt.Sprintf("%t", c.OIDCWebDAV())},
@@ -201,3 +277,8 @@ func (c *Config) OIDCReport() (rows [][]string, cols []string) {
 	return rows, cols
 }
 // normalizeGroupID lowercases and sanitizes a group identifier (GUID or name) for comparisons.
 func normalizeGroupID(id string) string {
 	return strings.ToLower(clean.Auth(id))
 }
--- a/internal/config/config_oidc_test.go
+++ b/internal/config/config_oidc_test.go
@@ -132,6 +132,43 @@ func TestConfig_OIDCUsername(t *testing.T) {
 	assert.Equal(t, authn.OidcClaimPreferredUsername, c.OIDCUsername())
 }
 func TestConfig_OIDCGroupClaim(t *testing.T) {
 	c := NewConfig(CliTestContext())
 	assert.Equal(t, "groups", c.OIDCGroupClaim())
 	c.options.OIDCGroupClaim = " roles "
 	assert.Equal(t, "roles", c.OIDCGroupClaim())
 }
 func TestConfig_OIDCGroup(t *testing.T) {
 	c := NewConfig(CliTestContext())
 	assert.Nil(t, c.OIDCGroup())
 	c.options.OIDCGroup = []string{"ABC-123", "  DEF-456  ", ""}
 	assert.Equal(t, []string{"abc-123", "def-456"}, c.OIDCGroup())
 }
 func TestConfig_OIDCGroupRoles(t *testing.T) {
 	c := NewConfig(CliTestContext())
 	c.options.OIDCGroupRole = []string{
 		"ABC-123=admin",
 		"def-456:guest",
 		"invalid",
 		"=none",
 	}
 	roles := c.OIDCGroupRoles()
 	assert.Equal(t, acl.RoleAdmin, roles["abc-123"])
 	assert.Equal(t, acl.RoleGuest, roles["def-456"])
 	assert.Len(t, roles, 2)
 }
 func TestConfig_OIDCDomain(t *testing.T) {
 	c := NewConfig(CliTestContext())
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -7,6 +7,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/photoprism/photoprism/internal/ai/face"
 	"github.com/photoprism/photoprism/internal/auth/acl"
 	"github.com/photoprism/photoprism/internal/config/ttl"
 	"github.com/photoprism/photoprism/internal/entity"
 	"github.com/photoprism/photoprism/internal/ffmpeg/encode"
@@ -117,6 +118,25 @@ var Flags = CliFlags{
 			Value:   authn.OidcClaimPreferredUsername,
 			EnvVars: EnvVars("OIDC_USERNAME"),
 		}}, {
 		Flag: &cli.StringFlag{
 			Name:    "oidc-group-claim",
 			Usage:   "group claim `NAME` to read from OIDC tokens (default groups)",
 			Value:   "",
 			EnvVars: EnvVars("OIDC_GROUP_CLAIM"),
 			Hidden:  true,
 		}}, {
 		Flag: &cli.StringSliceFlag{
 			Name:    "oidc-group",
 			Usage:   "require membership in at least one group `ID` (repeat flag to add multiple)",
 			EnvVars: EnvVars("OIDC_GROUP"),
 			Hidden:  true,
 		}}, {
 		Flag: &cli.StringSliceFlag{
 			Name:    "oidc-group-role",
 			Usage:   "map `GROUP=ROLE`; repeat to add more (roles: " + acl.UserRoles.CliUsageString() + ")",
 			EnvVars: EnvVars("OIDC_GROUP_ROLE"),
 			Hidden:  true,
 		}}, {
 		Flag: &cli.BoolFlag{
 			Name:    "oidc-webdav",
 			Usage:   "allows new OpenID Connect users to use WebDAV when they have a role that allows it",
--- a/internal/config/options.go
+++ b/internal/config/options.go
@@ -45,6 +45,9 @@ type Options struct {
 	OIDCRedirect              bool          `yaml:"OIDCRedirect" json:"OIDCRedirect" flag:"oidc-redirect"`
 	OIDCRegister              bool          `yaml:"OIDCRegister" json:"OIDCRegister" flag:"oidc-register"`
 	OIDCUsername              string        `yaml:"OIDCUsername" json:"-" flag:"oidc-username"`
 	OIDCGroupClaim            string        `yaml:"OIDCGroupClaim" json:"-" flag:"oidc-group-claim" tags:"pro"`
 	OIDCGroup                 []string      `yaml:"OIDCGroup" json:"-" flag:"oidc-group" tags:"pro"`
 	OIDCGroupRole             []string      `yaml:"OIDCGroupRole" json:"-" flag:"oidc-group-role" tags:"pro"`
 	OIDCDomain                string        `yaml:"-" json:"-" flag:"oidc-domain" tags:"pro"`
 	OIDCRole                  string        `yaml:"-" json:"-" flag:"oidc-role" tags:"pro"`
 	OIDCWebDAV                bool          `yaml:"OIDCWebDAV" json:"-" flag:"oidc-webdav"`