chore: add scopes field to MS Azure AD connector (#7087)

* chore: add scopes field to MS Axure AD connector

* fix: fix scopes

.changeset/bright-pans-deny.md

@@ -0,0 +1,5 @@
+---
+"@logto/connector-azuread": patch
+---
+
+add `scopes` configuration field for Microsoft Azure AD connector

packages/connectors/connector-azuread/README.md

@@ -12,6 +12,7 @@ The Microsoft Azure AD connector provides a succinct way for your application to
     - [Cloud Instance](#cloud-instance)
     - [Tenant ID](#tenant-id)
     - [Prompts](#prompts)
+    - [Scopes](#scopes)
   - [References](#references)
 
 ## Set up Microsoft Azure AD in the Azure Portal
@@ -31,6 +32,7 @@ The Microsoft Azure AD connector provides a succinct way for your application to
 | tenantId      | string   |
 | cloudInstance | string   |
 | prompts       | string[] |
+| scopes        | string?  |
 
 ### Client ID
 
@@ -66,6 +68,12 @@ The `prompts` field is an array of strings that specifies the type of user inter
 
 Logto will concatenate the prompts with a space as the value of `prompt` in the authorization URL.
 
+### Scopes
+
+The `scopes` field is a space-separated list of scopes the application needs. The list of scopes can be found in the [Microsoft Graph permissions reference](https://learn.microsoft.com/en-us/graph/permissions-reference).
+
+The default scopes are `User.Read`, leave this field empty unless you need other scopes.
+
 ## References
 
 - [Web app that signs in users](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview)

packages/connectors/connector-azuread/src/constant.ts

@@ -62,6 +62,13 @@ export const defaultMetadata: ConnectorMetadata = {
         value: prompt,
       })),
     },
+    {
+      key: 'scopes',
+      type: ConnectorConfigFormItemType.Text,
+      required: false,
+      label: 'Scopes',
+      placeholder: '<scope1> <scope2>',
+    },
   ],
 };
 

packages/connectors/connector-azuread/src/index.ts

@@ -1,4 +1,4 @@
-import { assert, conditional } from '@silverhand/essentials';
+import { assert, conditional, deduplicate } from '@silverhand/essentials';
 import { got, HTTPError } from 'got';
 import path from 'node:path';
 
@@ -19,7 +19,12 @@ import {
   parseJson,
 } from '@logto/connector-kit';
 
-import { scopes, defaultMetadata, defaultTimeout, graphAPIEndpoint } from './constant.js';
+import {
+  scopes as defaultScopes,
+  defaultMetadata,
+  defaultTimeout,
+  graphAPIEndpoint,
+} from './constant.js';
 import type { AzureADConfig } from './types.js';
 import {
   azureADConfigGuard,
@@ -37,10 +42,10 @@ const getAuthorizationUri =
     const config = await getConfig(defaultMetadata.id);
 
     validateConfig(config, azureADConfigGuard);
-    const { clientId, clientSecret, cloudInstance, tenantId, prompts } = config;
+    const { clientId, clientSecret, cloudInstance, tenantId, prompts, scopes } = config;
 
     const defaultAuthCodeUrlParameters: AuthorizationUrlRequest = {
-      scopes,
+      scopes: deduplicate([...defaultScopes, ...(scopes?.split(' ') ?? [])]),
       state,
       redirectUri,
       ...conditional(prompts && prompts.length > 0 && { prompt: prompts.join(' ') }),

packages/connectors/connector-azuread/src/types.ts

@@ -8,6 +8,7 @@ export const azureADConfigGuard = z.object({
   cloudInstance: z.string(),
   tenantId: z.string(),
   prompts: oidcPromptsGuard,
+  scopes: z.string().optional(),
 });
 
 export type AzureADConfig = z.infer<typeof azureADConfigGuard>;