PowerOn/platform-core
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
platform-core/modules/auth/oauthProviderConfig.py
Ida f8976d1d95
All checks were successful
Deploy Plattform-Core (Int) / test (push) Successful in 1m2s
Details
Deploy Plattform-Core (Int) / deploy (push) Successful in 10s
Details
FIX: Home-Mandat bei OAuth-Login: Neue MSFT/Google-User (und nach MFA) bekommen automatisch ein Home-Mandat mit TRIAL_14D, damit Store, Verbindungen und Dateien funktionieren. 
Microsoft Scopes → .default: Login- und Connect-Flow nutzen https://graph.microsoft.com/.default statt Einzel-Scopes, damit tenant-weiter Admin-Consent greift.
Authority /organizations: Service_MSFT_TENANT_ID in allen env-Dateien von common auf organizations (nur Geschäftskonten).
Admin-Consent-Callback: Fehlendes state führt nicht mehr zu hartem Fehler, wenn Consent außerhalb unserer Route gestartet wurde.
Token-Refresh gehärtet: Proaktives Refresh-Fenster von 5 auf 30 Minuten, Rate-Limit von 3 auf 6 pro Stunde.
Connect-Refresh ohne prompt=consent: Beim „Verbindung aktualisieren“ (reauth=1) nur noch select_account, kein erzwungener Consent → kein „Need admin approval“ für normale User.
2026-06-12 10:21:52 +02:00

68 lines
2.5 KiB
Python
Raw Blame History

# Copyright (c) 2026 PowerOn AG
# All rights reserved.
"""OAuth scope sets for split Auth- vs Data-apps (Google / Microsoft)."""
# Google — Auth app only (no Gmail/Drive API scopes)
googleAuthScopes = [
"openid",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
]
# Google — Data app (Gmail + Drive + Calendar + Contacts + identity for token responses)
googleDataScopes = [
"openid",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/gmail.readonly",
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/calendar.readonly",
"https://www.googleapis.com/auth/contacts.readonly",
]
# Microsoft — Auth app: Graph profile only (MSAL adds openid, profile, offline_access, …)
msftAuthScopes = [
"User.Read",
]
# Microsoft — Data app (delegated; requires admin consent for several)
msftDataScopes = [
"User.Read",
"Mail.ReadWrite",
"Mail.Send",
"Files.ReadWrite.All",
"Sites.ReadWrite.All",
"Team.ReadBasic.All",
"OnlineMeetings.Read",
"Chat.ReadWrite",
"ChatMessage.Send",
"Calendars.Read",
"Contacts.Read",
]
def msftDataScopesForRefresh() -> str:
"""Space-separated scope string identical to authorization request (Token v2 refresh)."""
return " ".join(msftDataScopes)
# Microsoft — Resource ".default": pulls exactly the permissions already
# admin-consented for the app in the user's tenant. Triggers NO interactive /
# admin consent (errors AADSTS65001 only if consent is truly missing), which is
# what we want for tenants that have disabled user consent but granted tenant-wide
# admin consent. msftAuthScopes / msftDataScopes stay as documentation of the
# expected permission set.
MSFT_GRAPH_RESOURCE = "https://graph.microsoft.com"
def msftGraphDefaultScopes() -> list:
"""Single resource ``.default`` scope for Microsoft Graph (must not be mixed
with individual scopes or reserved scopes — MSAL adds openid/profile/offline_access)."""
return [f"{MSFT_GRAPH_RESOURCE}/.default"]
# Infomaniak intentionally has no OAuth scope set: the kDrive + Mail data APIs
# are only reachable with manually issued Personal Access Tokens (see
# wiki/d-guides/infomaniak-token-setup.md). The OAuth /authorize endpoint at
# login.infomaniak.com only accepts identity scopes (openid/profile/email/phone)
# and does not return tokens that work against /1/* data routes.
Reference in a new issue View git blame Copy permalink