added oidc as a env var

README.md

@@ -56,6 +56,7 @@ module.exports = ({env}) => ({
       AZUREAD_OAUTH_CLIENT_ID: '[Client ID created in AzureAD]', // [Application (client) ID]
       AZUREAD_OAUTH_CLIENT_SECRET: '[Client Secret created in AzureAD]',
       AZUREAD_SCOPE: 'user.read', // https://learn.microsoft.com/en-us/graph/permissions-reference
+      AZUREAD_OAUTH_USE_OIDC: 'true', // 
     }
   }
 })

docs/en/azuread/setup.md

@@ -17,6 +17,7 @@ This document provides instructions for integrating AzureAD as a Single Sign-On
 | AZUREAD_TENANT_ID           | ✅       | -                                                        |
 | AZUREAD_OAUTH_REDIRECT_URI  | -        | http://localhost:1337/strapi-plugin-sso/azuread/callback |
 | AZUREAD_SCOPE               | -        | user.read                                                |
+| AZUREAD_OAUTH_USE_OIDC      | -        | true                                                     |
 
 ### Configuring environment variables
 
@@ -27,5 +28,6 @@ Use the following environment variables to configure the AzureAD integration:
 3. `AZUREAD_TENANT_ID`: The Tenant ID created in AzureAD.
 4. `AZUREAD_OAUTH_REDIRECT_URI`: The callback URL used by AzureAD to redirect the user after authentication. Defaults to 'http://localhost:1337/strapi-plugin-sso/azuread/callback'.
 5. `AZUREAD_SCOPE`: The permissions your application requires from the user. Defaults to 'user.read'. More information on permissions can be found in the [Microsoft Graph permissions reference](https://docs.microsoft.com/en-us/graph/permissions-reference).
+6. `AZUREAD_OAUTH_USE_OIDC`: Using OIDC calls graph.microsoft.com/oidc/userinfo while setting it to false calls /me as documented here : https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
 
 Make sure to replace the placeholders with the actual values you obtained from AzureAD.

server/config/index.js

@@ -14,6 +14,7 @@ module.exports = {
     AZUREAD_OAUTH_CLIENT_ID: '',
     AZUREAD_OAUTH_CLIENT_SECRET: '',
     AZUREAD_SCOPE: 'user.read',
+    AZUREAD_OAUTH_USE_OIDC: 'true',
   },
   validator() {
   },

server/controllers/azuread.js

@@ -52,6 +52,7 @@ async function azureAdSignInCallback(ctx) {
   const userService = getService("user");
   const oauthService = strapi.plugin("strapi-plugin-sso").service("oauth");
   const roleService = strapi.plugin("strapi-plugin-sso").service("role");
+  const isOIDC = config["AZUREAD_OAUTH_USE_OIDC"] !== 'false';
 
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`));
@@ -74,12 +75,20 @@ async function azureAdSignInCallback(ctx) {
         "Content-Type": "application/x-www-form-urlencoded",
       },
     });
-    const userResponse = await axios.get(OAUTH_USER_INFO_ENDPOINT, {
+    const apiResponse = await axios.get(isOIDC ? OAUTH_USER_INFO_ENDPOINT : 'https://graph.microsoft.com/v1.0/me', {
       headers: {
         Authorization: `Bearer ${response.data.access_token}`,
       },
     });
 
+    const userResponse = isOIDC ? apiResponse : {
+      data: {
+        email: apiResponse.data.userPrincipalName,
+        family_name: apiResponse.data.surname,
+        given_name: apiResponse.data.givenName,
+      }
+    }
+
     const dbUser = await userService.findOneByEmail(userResponse.data.email);
     let activateUser;
     let jwtToken;
@@ -92,8 +101,8 @@ async function azureAdSignInCallback(ctx) {
       const roles =
         azureAdRoles && azureAdRoles["roles"]
           ? azureAdRoles["roles"].map((role) => ({
-              id: role,
-            }))
+            id: role,
+          }))
           : [];
 
       const defaultLocale = oauthService.localeFindByHeader(