Improve MS graph API

LEDfan · LEDfan · commit d6932c5ff611 · 2025-06-23T16:07:43.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
@@ -291,12 +291,15 @@ public LogoutSuccessHandler getLogoutSuccessHandler() {
 
     protected GrantedAuthoritiesMapper createAuthoritiesMapper() {
         if (microsoftGraphGroupFetcher != null) {
-            log.info("Using  MS graph");
             return authorities -> {
                 for (GrantedAuthority auth : authorities) {
                     if (auth instanceof OidcUserAuthority) {
                         OidcIdToken idToken = ((OidcUserAuthority) auth).getIdToken();
-                        return microsoftGraphGroupFetcher.fetchGroups(idToken.getSubject());
+                        if (!idToken.hasClaim("oid")) {
+                            log.warn("Required claim 'oid' not found, make sure to include the 'profile' scope - continuing without groups");
+                            return Set.of();
+                        }
+                        return microsoftGraphGroupFetcher.fetchGroups(idToken.getClaimAsString("oid"));
                     }
                 }
                 return Set.of();
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/msgraph/MicrosoftGraphGroupFetcher.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/msgraph/MicrosoftGraphGroupFetcher.java
@@ -42,6 +42,7 @@
 
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
 
 @ConditionalOnProperty("proxy.ms-graph.client-id")
@@ -106,11 +107,14 @@ public Set<GrantedAuthority> fetchGroups(String userId) {
             }
 
             Set<GrantedAuthority> result = new HashSet<>(memberships.value.stream().map(m -> {
+                if (m == null || m.displayName == null) {
+                    return null;
+                }
                 String mappedRole = m.displayName
                     .toUpperCase()
                     .startsWith("ROLE_") ? m.displayName : "ROLE_" + m.displayName;
                 return new SimpleGrantedAuthority(mappedRole.toUpperCase());
-            }).toList());
+            }).filter(Objects::nonNull).toList());
             logger.debug("Received groups from Microsoft Graph api for user: {}, groups: {}", userId, result);
             return result;
         } catch (Exception e) {
