From 208f497a5a6a2a90e0fecdfd31c46e260b36ddbe Mon Sep 17 00:00:00 2001
From: Chris Beavers <crbeavers@gmail.com>
Date: Wed, 6 Mar 2019 18:15:54 -0600
Subject: [PATCH] Add AzureAD provider

---
 CHANGELOG.md                     |  2 ++
 src/Yesod/Auth/OAuth2/AzureAD.hs | 53 ++++++++++++++++++++++++++++++++
 stack-lts-12.2.yaml              |  2 +-
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 src/Yesod/Auth/OAuth2/AzureAD.hs

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28d6f2a..fdc327f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
 ## [*Unreleased*](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.0...master)
 
 - Test with GHC 8.6.3, and not 8.2
+- Added AzureAD provider
+- COMPATIBILITY: Use `hoauth2-1.8.1`
 
 ## [v0.6.1.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.0.0...v0.6.1.0)
 
diff --git a/src/Yesod/Auth/OAuth2/AzureAD.hs b/src/Yesod/Auth/OAuth2/AzureAD.hs
new file mode 100644
index 0000000..a0168b8
--- /dev/null
+++ b/src/Yesod/Auth/OAuth2/AzureAD.hs
@@ -0,0 +1,53 @@
+{-# LANGUAGE OverloadedStrings #-}
+-- |
+--
+-- OAuth2 plugin for Azure AD.
+--
+-- * Authenticates against Azure AD
+-- * Uses email as credentials identifier
+--
+module Yesod.Auth.OAuth2.AzureAD
+    ( oauth2AzureAD
+    , oauth2AzureADScoped
+    ) where
+
+import Prelude
+import Yesod.Auth.OAuth2.Prelude
+
+newtype User = User Text
+
+instance FromJSON User where
+    parseJSON = withObject "User" $ \o -> User
+        <$> o .: "mail"
+
+pluginName :: Text
+pluginName = "azuread"
+
+defaultScopes :: [Text]
+defaultScopes = ["openid", "profile"]
+
+oauth2AzureAD :: YesodAuth m => Text -> Text -> AuthPlugin m
+oauth2AzureAD = oauth2AzureADScoped defaultScopes
+
+oauth2AzureADScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2AzureADScoped scopes clientId clientSecret =
+    authOAuth2 pluginName oauth2 $ \manager token -> do
+        (User userId, userResponse) <-
+            authGetProfile pluginName manager token "https://graph.microsoft.com/v1.0/me"
+
+        pure Creds
+            { credsPlugin = pluginName
+            , credsIdent = userId
+            , credsExtra = setExtra token userResponse
+            }
+  where
+    oauth2 = OAuth2
+        { oauthClientId = clientId
+        , oauthClientSecret = clientSecret
+        , oauthOAuthorizeEndpoint = "https://login.windows.net/common/oauth2/authorize" `withQuery`
+            [ scopeParam "," scopes
+            , ("resource", "https://graph.microsoft.com")
+            ]
+        , oauthAccessTokenEndpoint = "https://login.windows.net/common/oauth2/token"
+        , oauthCallback = Nothing
+        }
diff --git a/stack-lts-12.2.yaml b/stack-lts-12.2.yaml
index 92a7bcf..4f8faea 100644
--- a/stack-lts-12.2.yaml
+++ b/stack-lts-12.2.yaml
@@ -1,7 +1,7 @@
 ---
 resolver: lts-12.2
 extra-deps:
-  - hoauth2-1.7.2
+  - hoauth2-1.8.1
   - uri-bytestring-aeson-0.1.0.6
 
 # needed so resourcet can get exceptions-0.10 even though hoauth dislikes it