Pass resource parameter in login url

[codablock]

Description

This passes the value given by --resource=<my-resource> to the login url.

Motivation and Context

Without this, Azure will always return access tokens for graph.microsoft.com, which is not what one would expect when --resource is used. The modified method is not Azure specific, but I would assume that the resource parameter should also be present in other providers.

How Has This Been Tested?

We have this code (based on a master version shortly after 6.0.0 was released) running in production since a few weeks.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[NickMeves]

This is already a string type and defaults to "". You can simplify this logic and mirror this line's format: if p.AcrValues != "" {

Can you add a unit test for this addition?

[codablock]

As of current master, this is of type *url.URL, so I need to verify that it is not nil before checking for emptyness. I'll try to add a unit test.

[NickMeves]

Ack - you are right! I was looking at the options ProtectedResource that made it - thanks!

[NickMeves]

OK - I had a chance to research this more:

I think since this is a flag that is documented as Azure only, it shouldn't be added on the default GetLoginURL method, it should be under azure.go (which means making a GetLoginURL under AzureProvider)

...but I see a commit from 5 years ago where it was added to the default Redeem even though this is only set by the AzureProvider and the AzureProvider implements its own Redeem method. 🤷‍♂️

Can you take a try at getting this completely Azure specific?

Otherwise we can do it as you've listed here (having it part of defaults for both Redeem & GetLoginURL) -- I'd just like to update the documentation for the --resource flag that it applies to all providers and remove the note that it is an Azure only flag.

[codablock]

Ah I was not aware that the --resource flag was meant to be Azure specific. I moved the code into azure.go

[NickMeves]

I don't know if any of the maintainers are Azure users -- can you point me at some Azure documentation of what this does?

And share some sample config values you have for your environment for this flag so I can better visualize?

[codablock]

@NickMeves I've added a unit test for the resource=xxx parameter.

Unfortunately it is a huge mess to navigate through Azure AD documentation and keep track of all the details and how stuff is related to other stuff...so I have no idea anymore where I got this info from. Googling for it I found this Stackoverflow entry which describes the resource parameter in the selected answer, but also fails to mention the documentation that actually describes it.

[codablock]

@NickMeves I've refactored the default_provider.go GetLoginURL in a way so that it can be re-used by other providers. Azure now uses the new DefaultGetLoginURL and then adds azure specific stuff to the params. And just for fun, I used the same method to de-duplicate the logingov provider.

[NickMeves]

I think this is a step in the right direction 👍

Let's refactor it a bit. Let's move this over to providers/util.go with the other provider helpers and call it makeLoginURL or something.

It might be over-optimization if it is only used in a couple places, but I'm not a fan of the helper returning the raw url.URL, url.Values and requiring the consumers to know to do this:

	a, params := DefaultGetLoginURL(p.ProviderData, redirectURI, state)
	// CUSTOMIZE PARAMS HERE
	a.RawQuery = params.Encode()
	return a.String()

Maybe make a light struct around this with a few helper methods to do what we need as far as param add/set + String()

[codablock]

I came up with an alternative form of the method that simply requires to pass extraParams, which should make it very clear for the caller what is expected. Pushed 2 commits with the related changes.

[NickMeves]

@codablock Just an FYI - I need to think about the repercussions more, but I think this and your other PR might barely hover on the breaking change threshold between requiring a minor vs major release to get this functionality out. (for instance --cookie-refresh & the session validation never did anything in the past for Azure - but it wasn't documented that it wasn't Azure supported, so users might've set flags and not realized they were no-ops and then starting to care about them might break setups).

But the point might be moot - I'm chatting with @JoelSpeed about our next release potentially being v7 since we are starting to get to a critical mass of PRs that need a major release.

We'll keep you posted.

[codablock]

@NickMeves I'm fine with this being a major release and thus needing more time. We're already running oauth2-proxy from a forked branch with the necessary changes merged.

[NickMeves]

Thanks for the changes & refactoring. Looks good!

Please go ahead and add a CHANGELOG entry.

Per our discussion, I'm going to wait to merge this until we are positive our next release is a major (its looking like it, though).

[codablock]

@NickMeves please see #787 for CHANGELOG.

[NickMeves]

I'm ready to merge this one -- can you get the CHANGELOG entry over in this PR and not split out and rebase?

@JoelSpeed wanted to take a peek at #754 still

[JoelSpeed]

I agree, let's get this PR rebased, add the changelog into this PR and then we can merge, it's much easier to look back at changes if the changelog entry is in the same PR

Do we need to update the docs at all?

[codablock]

Rebased on master and added changelog entry for this PR.

[NickMeves]

1 last NIT on the CHANGELOG then we're good to go!

[NickMeves]

Can you add in the PR link to associate with this breaking change note to tie it to the CHANGELOG entry below?

Once that's in, I'll merge 👍

[codablock]

@NickMeves done

[NickMeves]

Thanks for all the work on this!