diff --git a/apricot/oauth/keycloak_client.py b/apricot/oauth/keycloak_client.py index d55fad4..3555610 100644 --- a/apricot/oauth/keycloak_client.py +++ b/apricot/oauth/keycloak_client.py @@ -33,7 +33,8 @@ def __init__( super().__init__( redirect_uri=redirect_uri, - scopes=scopes, + scopes_application=scopes, + scopes_delegated=scopes, token_url=token_url, **kwargs, ) diff --git a/apricot/oauth/microsoft_entra_client.py b/apricot/oauth/microsoft_entra_client.py index 681abb0..0970347 100644 --- a/apricot/oauth/microsoft_entra_client.py +++ b/apricot/oauth/microsoft_entra_client.py @@ -23,14 +23,14 @@ def __init__( @param entra_tenant_id: Tenant ID for the Entra ID """ redirect_uri = "urn:ietf:wg:oauth:2.0:oob" # this is the "no redirect" URL - scopes = ["https://graph.microsoft.com/.default"] # this is the default scope token_url = ( f"https://login.microsoftonline.com/{entra_tenant_id}/oauth2/v2.0/token" ) - self.tenant_id = entra_tenant_id + # Use default application scope and minimal delegated scopes super().__init__( redirect_uri=redirect_uri, - scopes=scopes, + scopes_application=["https://graph.microsoft.com/.default"], + scopes_delegated=["openid"], token_url=token_url, **kwargs, ) diff --git a/apricot/oauth/oauth_client.py b/apricot/oauth/oauth_client.py index 49797b3..34eddba 100644 --- a/apricot/oauth/oauth_client.py +++ b/apricot/oauth/oauth_client.py @@ -29,7 +29,8 @@ def __init__( client_secret: str, debug: bool, # noqa: FBT001 redirect_uri: str, - scopes: list[str], + scopes_application: list[str], + scopes_delegated: list[str], token_url: str, uid_cache: UidCache, ) -> None: @@ -61,7 +62,7 @@ def __init__( self.session_application = OAuth2Session( client=BackendApplicationClient( client_id=client_id, - scope=scopes, + scope=scopes_application, redirect_uri=redirect_uri, ), ) @@ -76,7 +77,7 @@ def __init__( self.session_interactive = OAuth2Session( client=LegacyApplicationClient( client_id=client_id, - scope=scopes, + scope=scopes_delegated, redirect_uri=redirect_uri, ), ) @@ -180,7 +181,7 @@ def verify(self: Self, username: str, password: str) -> bool: client_secret=self.client_secret, ) except InvalidGrantError as exc: - log.msg(f"Authentication failed.\n{exc}") + log.msg(f"Authentication failed for user '{username}'.\n{exc}") return False else: return True