Skip to content

feat: make AzureAD OAuth scopes configurable via env vars#2811

Open
Br1an67 wants to merge 2 commits intoChainlit:mainfrom
Br1an67:fix/issue-1804-azure-scope-config
Open

feat: make AzureAD OAuth scopes configurable via env vars#2811
Br1an67 wants to merge 2 commits intoChainlit:mainfrom
Br1an67:fix/issue-1804-azure-scope-config

Conversation

@Br1an67
Copy link

@Br1an67 Br1an67 commented Mar 1, 2026
edited by cubic-dev-ai bot
Loading

What

Make the AzureAD OAuth scopes configurable via environment variables instead of hardcoded.

Closes #1804

Why

Some enterprise environments restrict the User.Read scope and require alternatives like User.ReadBasic.All. The hardcoded scope prevents these deployments.

Changes

  • backend/chainlit/oauth_providers.py:
    • AzureADOAuthProvider: reads OAUTH_AZURE_AD_SCOPES (default: https://graph.microsoft.com/User.Read offline_access)
    • AzureADHybridOAuthProvider: reads OAUTH_AZURE_AD_HYBRID_SCOPES (default: https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid offline_access)

Testing

  • All 55 existing OAuth provider tests pass
  • Defaults unchanged — no breaking change

Summary by cubic

Made AzureAD OAuth scopes configurable via environment variables to support tenants that restrict User.Read. Defaults remain unchanged, so no breaking change.

Written for commit a6c8cbc. Summary will update on new commits.

@Br1an67
feat: make AzureAD OAuth scopes configurable via env vars
8f5c497 
Add OAUTH_AZURE_AD_SCOPES and OAUTH_AZURE_AD_HYBRID_SCOPES environment
variables to allow overriding the default Microsoft Graph scopes.
Defaults remain unchanged (User.Read) for backward compatibility.
@Br1an67 Br1an67 mentioned this pull request Mar 1, 2026
Open
@dosubot dosubot bot added size:XS This PR changes 0-9 lines, ignoring generated files. auth Pertaining to authentication. labels Mar 1, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@hayescode hayescode Awaiting requested review from hayescode hayescode is a code owner

@asvishnyakov asvishnyakov Awaiting requested review from asvishnyakov asvishnyakov is a code owner

@sandangel sandangel Awaiting requested review from sandangel sandangel is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auth Pertaining to authentication. size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AzureAD scope is hardcoded to Read.All

1 participant

@Br1an67