Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Group assignments to be automatically replicated from via Microsoft Azure AD #794

Open
mrmrcoleman opened this issue May 2, 2023 · 1 comment
Open

Group assignments to be automatically replicated from via Microsoft Azure AD #794

mrmrcoleman opened this issue May 2, 2023 · 1 comment

Comments

@mrmrcoleman
Copy link

mrmrcoleman commented May 2, 2023
edited

Expected behaviour

Group assignments to be automatically replicated from via Microsoft Azure AD

Actual behaviour

The Microsoft Azure AD authentication backend is not group-aware: It has no mechanism for handling the assignment of groups learned via Azure AD authentication and is currently, limited to deriving the username, email address, and first & last name of the authenticated account.

What are the steps to reproduce this issue?

  1. Consuming application creates a local authentication group.
  2. Consuming application's user creates various custom permissions and assigns them to the group in the application itself
  3. User creates an authentication group in Microsoft Azure AD and assigns Azure AD accounts to it.
  4. Azure AD group assignments for the user are not automatically replicated to the application consuming Python Social Auth.

Any logs, error output, etc?

No logs as the functionality doesn't exist yet.

Any other comments?

We would like to submit a fix for this:

Create a custom backend to extend and replace the built-in Azure AD backend to provide this ability in Python Social Auth

We are happy to do the work and support it moving forward, but we would like some clarity around:

  1. Whether or not this would be accepted by the maintainers?
  2. Within which time frame that might be possible?
@jeremystretch jeremystretch mentioned this issue May 3, 2023
Closed
@yrro
Copy link

yrro commented Jun 28, 2023

FYI (with my Azure AD application administrator hat on here) I would not want an id token to contain a groups claim with every group that the user is a member of. This can number hundreds of groups, nearly all of which will fall into the category of "information that the application does not need to know". Therefore it's not proper to use groups in this manner. There are also practical concerns (e.g., at least with Azure AD, once there are too many groups to fit into the groups claim, groups will be randomly dropped and an additional claim meaning "this group list is incomplete; you need to query MS Graph for the full list".

What I would like instead is for applications to be able to use the roles claim. Identity providers (such as Azure AD) allow a list of roles to be configured on an application, and then users and groups can be assigned to those roles; when a user signs their token will have a roles claim with a list of roles. The application should use that list to determine the user's permissions within the application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yrro @mrmrcoleman