Bug: Unsupported OIDC Scopes

[spyr0-sec]

Description:

The static OIDC configuration contains scopes which are not supported by EntraID and other identity providers

Are you intending to fix this bug?

No

Component(s) Affected:

• UI
• API

Steps to Reproduce:

1. Settings
2. Administration
3. SSO Configuration
4. Configure SSO Provider

Expected Behavior:

The identity provider is correctly configured for SSO

Actual Behavior:

The Oauth config includes scopes which are not supported and therefore returns error messages

Screenshots/Code Snippets/Sample Files:

https://github.com/SpecterOps/BloodHound/blob/v6.3.0/cmd/api/src/api/v2/auth/oidc.go#L109

Environment Information:

BloodHound: v6.3.0

Additional Information:

For our identity provider, only "openid", "profile", "email" are supported.

As per slack thread, EntraID is complaining about the email_verified scope

Potential Solution (optional):

Make the configuration more customisable with the ability to select which scopes are required for the given IdP

Related Issues:

N/A

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.