[Integrate-1693] query groups via Graph API, use env for required claim #1707
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
suwarnoong
requested review from
KangJingA,
SantanM,
csafreen,
hengxian-jiang,
p-hoffmann and
satish-a0
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request implements two main changes: (1) migrates from reading Azure AD group memberships from token claims to querying them via the Microsoft Graph API, and (2) makes the required claim name for OIDC tokens configurable via an environment variable instead of being hardcoded.
Changes:
- Added configurable
IDP_REQUIRED_CLAIMenvironment variable to make the required token claim name flexible - Implemented Graph API integration to fetch user groups via the
/me/memberOfendpoint instead of relying on groups claim in tokens - Added configurable scopes field to Azure AD connector configuration
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/apps/portal/src/containers/auth/oidc/OidcApp.tsx | Updates OIDC token validation to use configurable required claim name from environment variable |
| services/trex/core/server/routes/portal.ts | Passes IDP_REQUIRED_CLAIM environment variable to frontend |
| services/trex/core/server/env.ts | Adds IDP_REQUIRED_CLAIM to server environment configuration |
| services/alp-logto/connector-alp-azuread/src/types.ts | Adds optional scopes field to Azure AD connector configuration schema |
| services/alp-logto/connector-alp-azuread/src/index.ts | Implements getUserGroups function to query Graph API, adds parseScopes utility, and updates token exchange error handling |
| services/alp-logto/connector-alp-azuread/src/constant.ts | Renames scopes constant to defaultScopes, adds Graph API memberOf endpoint, and adds scopes configuration field |
| docker-compose.yml | Sets default value for IDP_REQUIRED_CLAIM and updates example connector configuration comment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hengxian-jiang
approved these changes
Jan 26, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
Please cross check this list if additions / modifications needs to be done on top of your core changes and tick them off. Reviewer can as well glance through and help the developer if something is missed out.
developbranch)