Feature/tim ad exchange#2
Open
NayanthaRC wants to merge 3 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request implements a major refactor of Azure AD OAuth2 authentication for the Global Classifier project, consolidating the Azure AD logic into the
TIMservice and removing the separateazure-ad-service. Key improvements include new endpoints for Azure AD OAuth2 flows, streamlined JWT generation, and enhanced environment/configuration management.Azure AD Authentication Refactor & Integration:
AzureAdControllerinTIMthat handles the full Azure AD OAuth2 flow: authorization URL generation, token exchange, and JWT creation, including saving tokens and allowlisting sessions. This replaces the previous externalazure-ad-service.TIM(AzureAuthorizationResponse,AzureCallbackRequest) and migrated related code from the old service. [1] [2]TIMto allow unauthenticated access to/azure-ad/**endpoints.Workflow & API Changes:
GET/oauth2/authorization-azure.ymlandGET/oauth2/callback-azure.yml) to interact with the new endpoints inTIMinstead of the old service, and simplified the callback logic to rely on the new JWT generation endpoint. [1] [2] [3] [4] [5]Configuration and Environment Management:
.env.examplewith new Azure AD and role mapping variables, and removed sensitive values from.env(which is now gitignored). [1] [2] [3]docker-compose.ymlto inject new Azure AD environment variables into thetimservice and removed theazure-ad-servicecontainer. [1] [2]Security and Utility Improvements:
CustomSessionAttributeSecurityFilterto handle comma-separated patterns and prevent empty/undefined lists. [1] [2]Most important changes:
Azure AD Authentication Flow Refactor
AzureAdControllerinTIMto handle Azure AD OAuth2 authorization, token exchange, and JWT generation, consolidating all related logic and removing the need for the separateazure-ad-service.TIM. [1] [2]Workflow & API Adjustments
TIMendpoints for Azure AD authentication and simplified the callback logic for JWT issuance. [1] [2] [3] [4] [5]Configuration and Environment
.env.examplewith Azure AD and role mapping settings, removed secrets from.env, and ensured.envis gitignored. [1] [2] [3]docker-compose.ymlto remove theazure-ad-serviceand pass new Azure AD variables to thetimcontainer. [1] [2]Security Improvements
CustomSessionAttributeSecurityFilter. [1] [2]Access Control
/azure-ad/**endpoints in theTIMsecurity configuration.