Feature: Add support for EntraID in OIDC

[spyr0-sec]

Description:

The static OIDC configuration contains scopes which are not supported by EntraID and other identity providers

Are you intending to fix this bug?

No

Component(s) Affected:

• UI
• API

Steps to Reproduce:

1. Settings
2. Administration
3. SSO Configuration
4. Configure SSO Provider

Expected Behavior:

The identity provider is correctly configured for SSO

Actual Behavior:

The Oauth config includes scopes which are not supported and therefore returns error messages

Screenshots/Code Snippets/Sample Files:

https://github.com/SpecterOps/BloodHound/blob/v6.3.0/cmd/api/src/api/v2/auth/oidc.go#L109

Environment Information:

BloodHound: v6.3.0

Additional Information:

For our identity provider, only "openid", "profile", "email" are supported.

As per slack thread, EntraID is complaining about the email_verified scope

Potential Solution (optional):

Make the configuration more customisable with the ability to select which scopes are required for the given IdP

Related Issues:

N/A

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.

[StephenHinck]

Thanks for the report, @spyr0-sec. We looked at this, and while that error message about supported scopes is accurate, additional effort is necessary to support EntraID for OIDC as their implementation requires additional functionality beyond the standards we wrote. We have some additional SSO functionality going into our next release (week of January 13th) and then we'll finish out the work necessary to get EntraID supported via OIDC.

[StephenHinck]

This is fixed with #1051. This will be included in next week's release!

[StephenHinck]

Hey @spyr0-sec - unfortunately, more work is required. We fixed the issue with the scopes that Microsoft doesn't support; however, they still have additional hurdles outside of that, which we need to account for. We will try again and hope to get it into our next release on the week of February 3rd.

[spyr0-sec]

@StephenHinck no problem! Thank you for the update and all the teams efforts.

[StephenHinck]

Just kidding! @mistahj67 is a ninja and has it pulled into our hotfix releasing on Monday. If you'd like to pull the edge release, it's live now, but otherwise, expect it in v6.4.1 next week!