modified the process of fetching groups to send requests for them.

Author: ebagfey

docs/web/authentication.md

@@ -374,8 +374,11 @@ CodeChecker also supports OAuth-based authentication. The `authentication.method
 
       * `user_emails_url`
 
-          The URL is used for making requests for emails associated with github account.
-          This field only in relevant for github in current implementation.
+          `GitHub` specific field to make requests for emails associated with github account.
+
+      * `user_groups_url`
+
+          `Microsoft` specific field to request security groups that the user is member of.
 
       * `scope`
 
@@ -424,7 +427,6 @@ providers' settings when issuing an OAuth application.
 * Important: At the time this code was written, GitHub doesn't support PKCE (Proof Key for Code Exchange).
 Therefore PKCE is not used when users log in using GitHub.
 
-* Important: For the `Microsoft` provider, the `jwks_url` is used to fetch public keys that verify and decode the `id_token`. This token may include security groups, provided that Azure AD is configured to include groups as part of the token's optional claims.
 
 # Client-side configuration <a name="client-side-configuration"></a>
 

web/server/codechecker_server/api/authentication.py

@@ -14,7 +14,6 @@
 from authlib.integrations.requests_client import OAuth2Session
 from authlib.common.security import generate_token
 from authlib.oauth2.rfc7636 import create_s256_code_challenge
-from authlib.jose import JsonWebToken
 
 from urllib.parse import urlparse, parse_qs
 
@@ -379,15 +378,16 @@ def performLogin(self, auth_method, auth_string):
 
             try:
                 user_info = oauth2_session.get(user_info_url).json()
+                # retrieve group memberships for Microsoft
                 groups = []
                 if provider == 'microsoft':
-                    id_token = oauth_token['id_token']
-                    jwks_url = oauth_config["jwks_url"]
-                    fetched_jwks = oauth2_session.get(jwks_url).json()
-                    jwt = JsonWebToken(['RS256'])
-                    claims = jwt.decode(id_token, fetched_jwks)
-                    claims.validate()
-                    groups = claims['groups']
+                    access_token = oauth_token['access_token']
+                    user_groups_url = oauth_config["user_groups_url"]
+                    response = oauth2_session.get(user_groups_url).json()
+                    for group in response["value"]:
+                        if group["onPremisesSyncEnabled"] and \
+                            group["securityEnabled"]:
+                            groups.append(group["displayName"])
                 username = user_info[
                     oauth_config["user_info_mapping"]["username"]]
                 LOG.info("User info fetched, username: %s", username)

web/server/config/server_config.json

@@ -91,7 +91,7 @@
           "authorization_url": "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize",
           "callback_url": "http://server_host/login/OAuthLogin/provider",
           "token_url": "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token",
-          "jwks_url": "https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys",
+          "user_groups_url" : "https://graph.microsoft.com/v1.0/me/memberOf",
           "user_info_url": "https://graph.microsoft.com/v1.0/me",
           "scope": "User.Read email profile openid offline_access",
           "user_info_mapping": {