Merge pull request #29 from frenkel/support_adfs

Support on premise Active Directory
RIPAGlobal · Jul 15, 2024 · f59bd8d · f59bd8d
2 parents caaf208 + ebf4c8a
commit f59bd8d
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -106,6 +106,7 @@ All of the items listed below are optional, unless noted otherwise. They can be
 | `authorize_params` | Additional parameters passed as URL query data in the initial OAuth redirection to Microsoft. See below for more. Empty Hash default. |
 | `domain_hint`      | If defined, sets (overwriting, if already present) `domain_hint` inside `authorize_params`. Default `nil` / none. |
 | `scope`            | If defined, sets (overwriting, if already present) `scope` inside `authorize_params`. Default is `OmniAuth::Strategies::AzureActivedirectoryV2::DEFAULT_SCOPE` (at the time of writing, this is `'openid profile email'`). |
+| `adfs`             | If defined, modifies the URLs so they work with an on premise ADFS server. In order to use this you also need to set the `base_azure_url` correctly and fill the `tenant_id` with `'adfs'`. |
 
 In addition, as a special case, if the request URL contains a query parameter `prompt`, then this will be written into `authorize_params` under that key, overwriting if present any other value there. Note that this comes from the current request URL at the time OAuth flow is commencing, _not_ via static options Hash data or via a custom provider class - but you _could_ just as easily set `scope` inside a custom `authorize_params` returned from a provider class, as shown in an example later; the request URL query mechanism is just another way of doing the same thing.
 

diff --git a/lib/omniauth/strategies/azure_activedirectory_v2.rb b/lib/omniauth/strategies/azure_activedirectory_v2.rb
@@ -52,12 +52,13 @@ def client
         options.custom_policy =
           provider.respond_to?(:custom_policy) ? provider.custom_policy : nil
 
-        options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v2.0/authorize"
+        oauth2 = provider.respond_to?(:adfs?) && provider.adfs? ? 'oauth2' : 'oauth2/v2.0'
+        options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/#{oauth2}/authorize"
         options.client_options.token_url =
           if options.custom_policy
-            "#{options.base_azure_url}/#{options.tenant_id}/#{options.custom_policy}/oauth2/v2.0/token"
+            "#{options.base_azure_url}/#{options.tenant_id}/#{options.custom_policy}/#{oauth2}/token"
           else
-            "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v2.0/token"
+            "#{options.base_azure_url}/#{options.tenant_id}/#{oauth2}/token"
           end
 
         super

diff --git a/spec/omniauth/strategies/azure_activedirectory_v2_spec.rb b/spec/omniauth/strategies/azure_activedirectory_v2_spec.rb
@@ -136,6 +136,25 @@
     end
   end
 
+  describe 'static configuration with on premise ADFS' do
+    let(:options) { @options || {} }
+    subject do
+      OmniAuth::Strategies::AzureActivedirectoryV2.new(app, {client_id: 'id', client_secret: 'secret', tenant_id: 'adfs', base_azure_url: 'https://login.contoso.com', adfs: true}.merge(options))
+    end
+
+    describe '#client' do
+      it 'has correct authorize url' do
+        allow(subject).to receive(:request) { request }
+        expect(subject.client.options[:authorize_url]).to eql('https://login.contoso.com/adfs/oauth2/authorize')
+      end
+
+      it 'has correct token url' do
+        allow(subject).to receive(:request) { request }
+        expect(subject.client.options[:token_url]).to eql('https://login.contoso.com/adfs/oauth2/token')
+      end
+    end
+  end
+
   describe 'dynamic configuration' do
     let(:provider_klass) {
       Class.new {
@@ -308,6 +327,53 @@ def client_secret
     end
   end
 
+  describe 'dynamic configuration with on premise ADFS' do
+    let(:provider_klass) {
+      Class.new {
+        def initialize(strategy)
+        end
+
+        def client_id
+          'id'
+        end
+
+        def client_secret
+          'secret'
+        end
+
+        def tenant_id
+          'adfs'
+        end
+
+        def base_azure_url
+          'https://login.contoso.com'
+        end
+
+        def adfs?
+          true
+        end
+      }
+    }
+
+    subject do
+      OmniAuth::Strategies::AzureActivedirectoryV2.new(app, provider_klass)
+    end
+
+    before do
+      allow(subject).to receive(:request) { request }
+    end
+
+    describe '#client' do
+      it 'has correct authorize url' do
+        expect(subject.client.options[:authorize_url]).to eql('https://login.contoso.com/adfs/oauth2/authorize')
+      end
+
+      it 'has correct token url' do
+        expect(subject.client.options[:token_url]).to eql('https://login.contoso.com/adfs/oauth2/token')
+      end
+    end
+  end
+
   describe 'raw_info' do
     subject do
       OmniAuth::Strategies::AzureActivedirectoryV2.new(app, {client_id: 'id', client_secret: 'secret'})