From d31c05625bd8eccaa4d3e335a4316a4e7084d434 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Fri, 12 Jan 2024 21:01:24 +0100
Subject: [PATCH] sources/oauth: fix azure_ad user_id and add test and fallback
 (cherry-pick #8146) (#8152)

---
 authentik/sources/oauth/tests/test_type_azure_ad.py | 4 ++++
 authentik/sources/oauth/types/azure_ad.py           | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/authentik/sources/oauth/tests/test_type_azure_ad.py b/authentik/sources/oauth/tests/test_type_azure_ad.py
index ff9b078f9..2f1e1731e 100644
--- a/authentik/sources/oauth/tests/test_type_azure_ad.py
+++ b/authentik/sources/oauth/tests/test_type_azure_ad.py
@@ -44,3 +44,7 @@ class TestTypeAzureAD(TestCase):
         self.assertEqual(ak_context["username"], AAD_USER["userPrincipalName"])
         self.assertEqual(ak_context["email"], AAD_USER["mail"])
         self.assertEqual(ak_context["name"], AAD_USER["displayName"])
+
+    def test_user_id(self):
+        """Test azure AD user ID"""
+        self.assertEqual(AzureADOAuthCallback().get_user_id(AAD_USER), AAD_USER["id"])
diff --git a/authentik/sources/oauth/types/azure_ad.py b/authentik/sources/oauth/types/azure_ad.py
index 9abe1eedb..61dae56b1 100644
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@@ -25,6 +25,11 @@ class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
 
     client_class = UserprofileHeaderAuthClient
 
+    def get_user_id(self, info: dict[str, str]) -> str:
+        # Default try to get `id` for the Graph API endpoint
+        # fallback to OpenID logic in case the profile URL was changed
+        return info.get("id", super().get_user_id(info))
+
     def get_user_enroll_context(
         self,
         info: dict[str, Any],