fix: Pomerium scope permissions and groups claim (#12)

homecentr · Aug 15, 2023 · 980c0ee · 980c0ee
1 parent f2f9fcb
commit 980c0ee
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/terraform/azuread-app-pomerium.tf b/terraform/azuread-app-pomerium.tf
@@ -15,21 +15,37 @@ resource "azuread_application" "pomerium" {
     }
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
-      type = "Role"
+      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read.All"]
+      type = "Scope"
     }
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["Group.Read.All"]
-      type = "Role"
+      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Group.Read.All"]
+      type = "Scope"
     }
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
-      type = "Role"
+      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Directory.Read.All"]
+      type = "Scope"
     }
   }
 
+  optional_claims {
+    access_token {
+      name = "groups"
+    }
+
+    id_token {
+      name = "groups"
+    }
+
+    saml2_token {
+      name = "groups"
+    }
+  }
+
+  group_membership_claims = ["SecurityGroup", "ApplicationGroup"]
+
   api {
     requested_access_token_version = "2"
   }