Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A new resource to assign scopes (delegated oauth permissions) for an application #591

Closed
ilya-git opened this issue Sep 23, 2021 · 8 comments · Fixed by #676
Closed

A new resource to assign scopes (delegated oauth permissions) for an application #591

ilya-git opened this issue Sep 23, 2021 · 8 comments · Fixed by #676
Labels
feature/applications new-resource

Comments

@ilya-git
Copy link

ilya-git commented Sep 23, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The provider has a new resources now that is called azuread_app_role_assignment. It is now possible to grant app role assignments, but it does not seem to work with scopes. As this issue mentions, we can only create "request" for the required access using required_resource_access. And while it does now work for type "Role", there is still now way that I have found to do the same for the "Scope" (I have tried with azuread_app_role_assignment and it fails).

required_resource_access {
  resource_app_id = "00000003-0000-0000-c000-000000000000"

  resource_access {
    id   = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182" # offline_access
    type = "Scope"
  }

  resource_access {
    id   = "37f7f235-527c-4136-accd-4a02d197296e" # openid
    type = "Scope"
  }
}

New or Affected Resource(s)

  • azuread_scope_assignment [NEW]

Potential Terraform Configuration

resource "azuread_scope_assignment" "test" {
  principal_id = azuread_service_principal.test.id
  app_id         = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
  scope_ids    = ["37f7f235-527c-4136-accd-4a02d197296e"] # openid
}

It seems that azuread_application_pre_authorized can be used for this purpose, but it did not work for me in the case of Microsoft graph with this error:

Application with object ID "MsGraph.ObjectId" was not found

References
@ilya-git ilya-git changed the title A new resources to assign scopes for an application A new resource to assign scopes for an application Sep 23, 2021
@ilya-git ilya-git mentioned this issue Sep 24, 2021
Closed
@dvdvorle
Copy link

pre_authorized also doesn't work in B2C tenants, so there's another use case.

@ilya-git
Copy link
Author

ilya-git commented Sep 24, 2021
edited
Loading

That's actually the case for us! We use B2C, I forgot to mention that as that is probably why it does not work, thanks for noting, so it is probably not msgraph problem, but B2C problem

@manicminer
Copy link
Contributor

manicminer commented Oct 12, 2021
edited
Loading

Just a note to mirror my comments on the related issue #595 - I don't believe pre-authorized applications are related to this.

I don't believe there is support for programmatic authorization of consent requests for delegated permissions. App role assignments work with service principals and therefore application permissions (roles), but delegated permissions (scopes) have their own interactive consent workflows, which, for high-level permissions, require involvement from an administrator.

For example, there is a dedicated endpoint that applications can use to have admins consent to the permissions they need and this can be built into your application(s). Each tenant also has an Admin Consent Request Policy (this is something we could implement, please open a feature request if you're interested!) which specifies who will be notified by email for consent requests and how often.

As such, this is a platform limitation which we aren't in a position to implement until such a time as programmatic access to this feature might be released. I would suggest reaching out via your support channels to let Microsoft know you are interested in this! Accordingly, as this isn't a viable feature for the provider, I'm going to close this one for now. Thanks!

@manicminer manicminer added the invalid This doesn't seem right label Oct 12, 2021
@dvdvorle
Copy link

Hi @manicminer, I'm pretty sure there already is programmatic access to this feature. Please take a look at the oAuth2PermissionGrant resource type.

I currently use this module as a workaround, as if it's said resource in the title of this issue:

variable "resource_service_principal_object_id" {
  type = string
}

variable "client_service_principal_object_id" {
  type = string
}

variable "scope" {
  type = string
}

variable "azure_config_dir" {
  type = string
}

resource "null_resource" "consent" {
  triggers = {
    resource = var.resource_service_principal_object_id
    client   = var.client_service_principal_object_id
    scope    = var.scope
  }

  provisioner "local-exec" {
    command     = <<-GRANTCONSENTCMD
      az rest --method POST \
        --uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' \
        --headers 'Content-Type=application/json' \
        --body '{
          "clientId": "${self.triggers.client}",
          "consentType": "AllPrincipals",
          "resourceId": "${self.triggers.resource}",
          "scope": "${self.triggers.scope}"
        }'
      GRANTCONSENTCMD
    interpreter = ["bash", "-c"]
    environment = {
      AZURE_CONFIG_DIR = var.azure_config_dir
    }
  }
}

p.s. coming from the OIDC spec, I very much dislike the MS API terminology. clientId and resourceId should be the client's and resource's appId, not their principals' objectIds.. if this abstraction could make it into this new resource that'd be great ;-)

@ilya-git
Copy link
Author

MS API terminology is all but consistent as they use different names in GUI/API/CLI, but that' what we have to live with. You can check this command @dvdvorle , it's simpler than calling az rest and may satisfy your needs:

az ad app permission grant --api 00000003-0000-0000-c000-000000000000 --id ${azuread_service_principal.myapp.application_id} --scope 'openid offline_access'

I have also figured out that Azure has some cache and had to make sleep 30 before this command to make sure app is created before the command is ran.

@dvdvorle
Copy link

Thanks @ilya-git, that's what I was using before! But that command still uses the old aad graph api under the hood. The resource I linked to is part of the newer ms graph api, so I think that's what @manicminer was looking for.

@manicminer manicminer added new-resource and removed invalid This doesn't seem right labels Oct 13, 2021
@manicminer
Copy link
Contributor

@dvdvorle Thanks! I stand corrected 🙇

In that case, marking this is a feature request and we'll be happy to implement this :)

@manicminer manicminer reopened this Oct 13, 2021
@ilya-git ilya-git changed the title A new resource to assign scopes for an application A new resource to assign scopes (delegated oauth permissions) for an application Nov 12, 2021
@manicminer manicminer mentioned this issue Nov 24, 2021
Merged
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature/applications new-resource
Projects
None yet
Milestone
No milestone
3 participants
@dvdvorle @manicminer @ilya-git