providers/microsoft_entra: fix error when updating connection attributes (#10039)

* providers/microsoft_entra: fix error when updating connection attributes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include URL to field references

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only set gws user password when creating by default

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* merge instead of replace connection attributes

an update might not return all attributes so we don't want to fully replace the attributes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/enterprise/providers/microsoft_entra/clients/base.py

@@ -23,6 +23,7 @@ from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
 
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
+from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
@@ -106,4 +107,4 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
         we can't JSON serialize"""
         raw_data = asdict(entity)
         raw_data.pop("backing_store", None)
-        return raw_data
+        return sanitize_item(raw_data)

authentik/enterprise/providers/microsoft_entra/clients/groups.py

@@ -1,3 +1,4 @@
+from deepmerge import always_merger
 from django.db import transaction
 from msgraph.generated.groups.groups_request_builder import GroupsRequestBuilder
 from msgraph.generated.models.group import Group as MSGroup
@@ -107,8 +108,9 @@ class MicrosoftEntraGroupClient(
             response = self._request(
                 self.client.groups.by_group_id(connection.microsoft_id).patch(microsoft_group)
             )
-            connection.attributes = self.entity_as_dict(response)
-            connection.save()
+            if response:
+                always_merger.merge(connection.attributes, self.entity_as_dict(response))
+                connection.save()
         except NotFoundSyncException:
             # Resource missing is handled by self.write, which will re-create the group
             raise

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -1,3 +1,4 @@
+from deepmerge import always_merger
 from django.db import transaction
 from msgraph.generated.models.user import User as MSUser
 from msgraph.generated.users.users_request_builder import UsersRequestBuilder
@@ -113,8 +114,9 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
         response = self._request(
             self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user)
         )
-        connection.attributes = self.entity_as_dict(response)
-        connection.save()
+        if response:
+            always_merger.merge(connection.attributes, self.entity_as_dict(response))
+            connection.save()
 
     def discover(self):
         """Iterate through all users and connect them with authentik users if possible"""

authentik/lib/sync/outgoing/tasks.py

@@ -14,6 +14,7 @@ from authentik.core.models import Group, User
 from authentik.events.logs import LogEvent
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask
+from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
@@ -145,8 +146,8 @@ class SyncTasks:
                                 )
                             ),
                             log_level="warning",
-                            logger="",
-                            attributes={"arguments": exc.args[1:]},
+                            logger=f"{provider._meta.verbose_name}@{object_type}",
+                            attributes={"arguments": exc.args[1:], "obj": sanitize_item(obj)},
                         )
                     )
                 )
@@ -168,7 +169,8 @@ class SyncTasks:
                                 )
                             ),
                             log_level="warning",
-                            logger="",
+                            logger=f"{provider._meta.verbose_name}@{object_type}",
+                            attributes={"obj": sanitize_item(obj)},
                         )
                     )
                 )
@@ -185,7 +187,8 @@ class SyncTasks:
                                 )
                             ),
                             log_level="warning",
-                            logger="",
+                            logger=f"{provider._meta.verbose_name}@{object_type}",
+                            attributes={"obj": sanitize_item(obj)},
                         )
                     )
                 )

blueprints/system/providers-google-workspace.yaml

@@ -9,8 +9,9 @@ entries:
     model: authentik_providers_google_workspace.googleworkspaceprovidermapping
     attrs:
       name: "authentik default Google Workspace Mapping: User"
-      # https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User
       expression: |
+        # Field reference:
+        # https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User
         # Google require givenName and familyName to be set
         givenName, familyName = request.user.name, " "
         formatted = request.user.name + " "
@@ -20,23 +21,26 @@ entries:
         if " " in request.user.name:
             givenName, _, familyName = request.user.name.partition(" ")
             formatted = request.user.name
-        return {
+        user = {
             "name": {
                 "fullName": formatted,
                 "familyName": familyName.strip(),
                 "givenName": givenName.strip(),
                 "displayName": formatted,
             },
-            "password": request.user.password,
             "suspended": not request.user.is_active,
         }
+        if not connection:
+            user["password"] = request.user.password
+        return user
   - identifiers:
       managed: goauthentik.io/providers/google_workspace/group
     model: authentik_providers_google_workspace.googleworkspaceprovidermapping
     attrs:
       name: "authentik default Google Workspace Mapping: Group"
-      # https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group
       expression: |
+        # Field reference:
+        # https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group
         return {
             "name": group.name,
         }

blueprints/system/providers-microsoft-entra.yaml

@@ -9,8 +9,9 @@ entries:
     model: authentik_providers_microsoft_entra.microsoftentraprovidermapping
     attrs:
       name: "authentik default Microsoft Entra Mapping: User"
-      # https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
       expression: |
+        # Field reference: (note that keys have to converted to snake_case)
+        # https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
         from msgraph.generated.models.password_profile import PasswordProfile
 
         user = {
@@ -35,8 +36,9 @@ entries:
     model: authentik_providers_microsoft_entra.microsoftentraprovidermapping
     attrs:
       name: "authentik default Microsoft Entra Mapping: Group"
-      # https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body
       expression: |
+        # Field reference: (note that keys have to converted to snake_case)
+        # https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body
         return {
             "display_name": group.name,
             "mail_enabled": False,