Use id_token for Azure AD Source

[silenium-dev]

Is your feature request related to a problem? Please describe.
The Azure AD source type currently requires the Microsoft Graph API scope User.Read to read the userinfo endpoint. This forbids any other non Graph API scopes to be added which we need (in our case: XboxLive.signin).
Microsoft itself recommends using id_tokens for OIDC as long as one doesn't need to retrieve extended user-info from the Graph API: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#enable-id-tokens

Describe the solution you'd like
Azure AD supports id_tokens which contain all claims required for creating an user in Authentik (preferred_username, email and name): https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

Describe alternatives you've considered
No alternatives, as there's no other way to get an access token with different scopes without another user prompt.

Additional context
I've already implemented a rough PoC on my own, that still contains some debug logging: https://github.com/silenium-dev/authentik
It works, but I still have to implement tests and properly clean the code.
I'll create a draft pull request for this.

[rissson]

We'll probably still call the userinfo endpoint in the end, so that we're able to provide that information for source property mappings (#8771)

[silenium-dev]

We'll probably still call the userinfo endpoint in the end, so that we're able to provide that information for source property mappings (#8771)

So this can't be implemented?

[rissson]

So this can't be implemented?

It would depend on how much data is actually included in the id_token given by azure. From a very quick look at the documentation, it seems like the id_token wouldn't contain all the data that one could retrieve from the userinfo endpoint, but feel free to correct me if I'm wrong

[silenium-dev]

The only field missing is the profile picture, even though the docs say that the fields of the id_token should be a superset of the ones from the userinfo endpoint: https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#consider-using-an-id-token-instead

[rissson]

You're right I missed that bit. That would be a welcomed improvement indeed then

[bboehmke]

I have a similar issue with Azure AD and missing information in the userinfo endpoint.

I am not completely sure what the expected implementation would be but for me it would be great to simply have the (decoded) id_token available in an Expression Policy used in an Enrolment Stage.
This way it should be very simply to map the needed information to the user accounts.

[BeryJu]

iirc the id_token from azure ad enrta ID only contains the first ~1000 groups so if a user is in more groups that information will get lost. However the id_token is available in the flow context. The connection object is available under request.context["goauthentik.io/sources/connection"], with which you can access .access_token