Skip to content

feat(auth): handle EntraID group overage via Graph fallback with configurable limits#2985

Merged
crivetimihai merged 6 commits intomainfrom
entra-group-limit
Feb 20, 2026
Merged

feat(auth): handle EntraID group overage via Graph fallback with configurable limits#2985
crivetimihai merged 6 commits intomainfrom
entra-group-limit

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 17, 2026
edited
Loading

Summary

  • add EntraID Graph overage fallback in SSO (POST /me/getMemberObjects)
  • add configurable settings for fallback enablement, timeout, and max groups retained
  • expand overage detection to cover _claim_names, hasgroups, and groups:srcN markers
  • wire settings into SSO bootstrap metadata and update Entra default scope to include User.Read
  • update docs, Helm values, and config schema outputs
  • add unit tests for success, failure, timeout, cap, and metadata override paths

Issue

Closes #2201

@crivetimihai crivetimihai self-assigned this Feb 17, 2026
@crivetimihai crivetimihai added this to the Release 1.0.0-GA milestone Feb 17, 2026
@crivetimihai crivetimihai mentioned this pull request Feb 17, 2026
Merged
10 tasks
@crivetimihai
Copy link
Copy Markdown
Member Author

crivetimihai commented Feb 17, 2026
edited
Loading

Just rebased on top of: fix: enhance OAuth callback handling for error responses and missing authorization code #2899

jonpspri
jonpspri previously approved these changes Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jonpspri jonpspri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR adds EntraID group overage Graph API fallback with configurable limits, OAuth callback error handling with XSS remediation, and Entra v2 resource parameter omission — all backed by thorough unit tests, E2E tests, and documentation updates. The review identified strong security practices (HTML escaping, exact hostname validation, graceful degradation) and found two minor code quality issues: an f-string concatenated with a string literal in a logger.warning call (replaced with %s lazy formatting) and unnecessary getattr() defensive access on settings fields that are defined with defaults (replaced with direct attribute access). Both fixes were applied and committed as 695ec8d62. No additional E2E test cases were needed, as the Graph fallback paths are impractical to test against real Azure infrastructure and are already well-covered by unit tests.

crivetimihai and others added 6 commits February 20, 2026 22:50
@crivetimihai
feat(auth): add EntraID group overage Graph fallback limits
9a1ef4a 
Implement Microsoft Graph fallback for EntraID group overage in SSO flow, with configurable enable/timeout/max-group cap, expanded overage marker detection, bootstrap wiring, docs/config schema updates, and unit coverage.\n\nCloses #2201

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix(auth): resolve pylint R1716 in Entra group cap logic
b96a6fc 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
test(auth): cover Entra Graph fallback edge branches
5a37f5a 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix(auth): use securityEnabledOnly and enforce timeout upper bound in…
8271db7 
… Graph fallback

- Change getMemberObjects securityEnabledOnly from false to true so only
  security-enabled groups and directory roles are returned (excludes
  administrative units that could cause unintended role mappings)
- Enforce 120s upper bound on graph_api_timeout from provider_metadata
  overrides, matching the config schema constraint (ge=1, le=120)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@jonpspri @crivetimihai
fix(auth): use lazy log formatting and remove defensive getattr in Gr…
7f9e9d3 
…aph fallback

Replace f-string concatenation with %s lazy formatting in the overage
warning log and drop unnecessary getattr() calls in sso_bootstrap since
the settings fields are defined with defaults on the Settings class.
Also improve overage troubleshooting docs and fix stale references.

Signed-off-by: Jonathan Springer <jps@s390x.com>
@crivetimihai
fix(auth): reject null/unsupported types in Graph fallback enabled ov…
a150511 
…erride

Replace blind bool() coercion with explicit int handling and a warning
for unrecognised types so that provider_metadata.graph_api_enabled=null
no longer silently disables the Graph overage fallback.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Copy link
Copy Markdown
Member Author

crivetimihai commented Feb 20, 2026
edited
Loading

Review Changes

Rebased onto main and made the following changes:

Fixes

  • Hardened graph_api_enabled override parsing: replaced blind bool() coercion with explicit int handling and a warning for unrecognised types. Previously, provider_metadata.graph_api_enabled: null (JSON null) would silently disable the Graph overage fallback via bool(None) → False. Now None and unsupported types keep the configured default and log a warning.

Commit History

a150511dc fix(auth): reject null/unsupported types in Graph fallback enabled override
7f9e9d385 fix(auth): use lazy log formatting and remove defensive getattr in Graph fallback
8271db75f fix(auth): use securityEnabledOnly and enforce timeout upper bound in Graph fallback
5a37f5a7c test(auth): cover Entra Graph fallback edge branches
b96a6fc4e fix(auth): resolve pylint R1716 in Entra group cap logic
9a1ef4a48 feat(auth): add EntraID group overage Graph fallback limits

All 119 unit tests pass.

@crivetimihai crivetimihai added SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release enhancement New feature or request labels Feb 20, 2026
@crivetimihai crivetimihai merged commit 9580158 into main Feb 20, 2026
53 of 54 checks passed
@crivetimihai crivetimihai deleted the entra-group-limit branch February 20, 2026 23:18
vishu-bh pushed a commit that referenced this pull request Feb 24, 2026
@crivetimihai @jonpspri
feat(auth): handle EntraID group overage via Graph fallback with conf…
263ad64 
…igurable limits (#2985)

* feat(auth): add EntraID group overage Graph fallback limits

Implement Microsoft Graph fallback for EntraID group overage in SSO flow, with configurable enable/timeout/max-group cap, expanded overage marker detection, bootstrap wiring, docs/config schema updates, and unit coverage.\n\nCloses #2201

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): resolve pylint R1716 in Entra group cap logic

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* test(auth): cover Entra Graph fallback edge branches

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): use securityEnabledOnly and enforce timeout upper bound in Graph fallback

- Change getMemberObjects securityEnabledOnly from false to true so only
  security-enabled groups and directory roles are returned (excludes
  administrative units that could cause unintended role mappings)
- Enforce 120s upper bound on graph_api_timeout from provider_metadata
  overrides, matching the config schema constraint (ge=1, le=120)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): use lazy log formatting and remove defensive getattr in Graph fallback

Replace f-string concatenation with %s lazy formatting in the overage
warning log and drop unnecessary getattr() calls in sso_bootstrap since
the settings fields are defined with defaults on the Settings class.
Also improve overage troubleshooting docs and fix stale references.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* fix(auth): reject null/unsupported types in Graph fallback enabled override

Replace blind bool() coercion with explicit int handling and a warning
for unrecognised types so that provider_metadata.graph_api_enabled=null
no longer silently disables the Graph overage fallback.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonpspri jonpspri jonpspri left review comments

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels

enhancement New feature or request SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release

Projects

None yet

Milestone

Release 1.0.0-RC2

Development

Successfully merging this pull request may close these issues.

[FEATURE][AUTH]: Limitation for number of groups that can be fetched with EntraID

2 participants

@crivetimihai @jonpspri