Merge pull request #48 from alan-turing-institute/47-reduce-entra-verification-scope

Reduce entra verification scope

Author: jemrobinson

apricot/oauth/keycloak_client.py

@@ -33,7 +33,8 @@ def __init__(
 
         super().__init__(
             redirect_uri=redirect_uri,
-            scopes=scopes,
+            scopes_application=scopes,
+            scopes_delegated=scopes,
             token_url=token_url,
             **kwargs,
         )

apricot/oauth/microsoft_entra_client.py

@@ -23,14 +23,14 @@ def __init__(
         @param entra_tenant_id: Tenant ID for the Entra ID
         """
         redirect_uri = "urn:ietf:wg:oauth:2.0:oob"  # this is the "no redirect" URL
-        scopes = ["https://graph.microsoft.com/.default"]  # this is the default scope
         token_url = (
             f"https://login.microsoftonline.com/{entra_tenant_id}/oauth2/v2.0/token"
         )
-        self.tenant_id = entra_tenant_id
+        # Use default application scope and minimal delegated scopes
         super().__init__(
             redirect_uri=redirect_uri,
-            scopes=scopes,
+            scopes_application=["https://graph.microsoft.com/.default"],
+            scopes_delegated=["openid"],
             token_url=token_url,
             **kwargs,
         )

apricot/oauth/oauth_client.py

@@ -29,7 +29,8 @@ def __init__(
         client_secret: str,
         debug: bool,  # noqa: FBT001
         redirect_uri: str,
-        scopes: list[str],
+        scopes_application: list[str],
+        scopes_delegated: list[str],
         token_url: str,
         uid_cache: UidCache,
     ) -> None:
@@ -61,7 +62,7 @@ def __init__(
             self.session_application = OAuth2Session(
                 client=BackendApplicationClient(
                     client_id=client_id,
-                    scope=scopes,
+                    scope=scopes_application,
                     redirect_uri=redirect_uri,
                 ),
             )
@@ -76,7 +77,7 @@ def __init__(
             self.session_interactive = OAuth2Session(
                 client=LegacyApplicationClient(
                     client_id=client_id,
-                    scope=scopes,
+                    scope=scopes_delegated,
                     redirect_uri=redirect_uri,
                 ),
             )
@@ -180,7 +181,7 @@ def verify(self: Self, username: str, password: str) -> bool:
                 client_secret=self.client_secret,
             )
         except InvalidGrantError as exc:
-            log.msg(f"Authentication failed.\n{exc}")
+            log.msg(f"Authentication failed for user '{username}'.\n{exc}")
             return False
         else:
             return True