oidc/entra hardcoded to graph.microsoft.com in 4 places

[ezrizhu]

idp/entra hardcodes to graph.microsoft.com in 4 instances below. likely left over during development?

sssd/src/oidc_child/oidc_child_id.c

Line 114 in 0458e65

uri = talloc_asprintf(rest_ctx, "https://graph.microsoft.com/v1.0/users?$filter=%s", filter_enc);

Currently the configuration already lets you change the graph url for userinfo and idp_id_scope

sssd/src/man/sssd-idp.5.xml

Line 257 in 0458e65

idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me

Some entra tenants are on the microsoft.us domain, which results to microsoft sending 401 on lookups when oidc attempts to talk to the hardcoded urls at graph.microsoft.com

can confirm replacing the code from graph.microsoft.com to graph.microsoft.us solves the issue.

using release 2.11.1

[sumit-bose]

Hi,

thank you for your report. I have to admin that those are not left overs from development but my understand after reading Microsoft's documentation was that the "com" variant provides the generic endpoints for everything. And to make configuration more clear I didn't implement changing the base URL for Entra ID only for Keycloak as mentioned in the sssd-idp man page "Depending on the IdP product additional platform specific options might follow the name separated by a colon (:). E.g. for Keycloak the base URI for the user and group REST API must be given. For Entra ID this is not needed because there is a generic endpoint for all tenants.".

Since it looks like you already worked on the code to make it work for you I wonder if you would like to provide a patch so that the base URL can be given for Entra ID as well like e.g.

idp_type = entra_id:https://graph.microsoft.us/v1.0/

If not, I will prepare a patch.

bye,
Sumit

[ezrizhu]

yeah the graph url thing was super confusing and tripped us up aswell.
https://learn.microsoft.com/en-us/graph/deployments

Happy to prepare a patch :-)

[alexey-tikhonov]

Hi @ezrizhu,

will you able to work on this upcoming days/weeks?

[ezrizhu]

Hi yes sorry, in the next 7 days for sure.