[Azure AD] Fixes #530: Supports KMSI page display logic after MFA

[kenchan0130]

Background

I have previously added processing for KSMI pages after MFA at #509.
However, we have received reports from some users at #530 that authentication using Azure AD does not work properly.

Cause

I found the following description at https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/keep-me-signed-in.

The following diagram shows the user sign-in flow for a managed tenant and federated tenant and the new keep me signed in prompt. This flow contains smart Logic so that the Stay signed in? option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.

This means that if the device is not trusted, the KMSI page may not be displayed.

Patch overview

• Supports KMSI page display logic after MFA

---

FIX: #530

[kenchan0130]

Based on the information in resBodyStr of #530 (comment) and resBodyStr of #509, I determine if it is a KSMI page based on the presence of $Config.

If this intent is difficult to convey, I could change it to the following.

isKMSIPage := strings.Contains(resBodyStr, "$Config")
if isKMSIPage {
  ....
}

[pseidel-kcf]

@kenchan0130 Thanks for investigating my issue! I tested this branch locally and ran into an issue : error authenticating to IdP: unable to locate IDP oidc form submit URL

I believe this is due to res.Body already being consumed on line 847.

The diff below fixes the issue for me locally but I'm not a Go expert so I'm not sure if this is the best approach.

diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go
index 68afcbe..5fe8d5e 100644
--- a/pkg/provider/aad/aad.go
+++ b/pkg/provider/aad/aad.go
@@ -1,6 +1,7 @@
 package aad

 import (
+       "bytes"
        "crypto/tls"
        "encoding/json"
        "fmt"
@@ -846,6 +847,8 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
                // <script><![CDATA[  $Config=......; ]]>
                resBody, _ = ioutil.ReadAll(res.Body)
                resBodyStr = string(resBody)
+               // reset res.Body so it can be read again later if required
+               res.Body = ioutil.NopCloser(bytes.NewBuffer(resBody))

                // After performing MFA we may be prompted with KMSI (Keep Me Signed In) page
                // Ref: https://docs.microsoft.com/ja-jp/azure/active-directory/fundamentals/keep-me-signed-in

[kenchan0130]

Indeed, io.Reader is treated like a stream. Therefore, I also noticed that it can't be read twice, which would affect the subsequent ones.