Pass through correct scope per Azure environment (#594)

jenkinsci · Jul 12, 2024 · 7e7931d · 7e7931d
1 parent 1aadf23
commit 7e7931d
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/main/java/com/microsoft/jenkins/azuread/GraphClientCache.java b/src/main/java/com/microsoft/jenkins/azuread/GraphClientCache.java
@@ -11,6 +11,7 @@
 import hudson.util.Secret;
 import io.jenkins.plugins.azuresdk.HttpClientRetriever;
 import java.net.URI;
+import java.util.Collections;
 import jenkins.model.Jenkins;
 import jenkins.util.JenkinsJVM;
 import okhttp3.Credentials;
@@ -24,6 +25,7 @@
 import static com.microsoft.jenkins.azuread.AzureEnvironment.getAuthorityHost;
 import static com.microsoft.jenkins.azuread.AzureEnvironment.getGraphResource;
 import static com.microsoft.jenkins.azuread.AzureEnvironment.getServiceRoot;
+import static java.util.Collections.singletonList;
 
 public class GraphClientCache {
 
@@ -35,7 +37,12 @@ public class GraphClientCache {
     private static GraphServiceClient<Request> createGraphClient(GraphClientCacheKey key) {
         final ClientSecretCredential clientSecretCredential = getClientSecretCredential(key);
 
-        final TokenCredentialAuthProvider authProvider = new TokenCredentialAuthProvider(clientSecretCredential);
+        String graphResource = AzureEnvironment.getGraphResource(key.getAzureEnvironmentName());
+
+        final TokenCredentialAuthProvider authProvider = new TokenCredentialAuthProvider(
+                singletonList(graphResource + ".default"),
+                clientSecretCredential
+        );
 
         OkHttpClient.Builder builder = HttpClients.createDefault(authProvider)
                 .newBuilder();