search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
320 stars 52 forks source link

AAD B2B organisation details #556

Open GKanitz opened 2 years ago

GKanitz commented 2 years ago

Hi, I'm currently working on a static web-app that is providing a client and a business portal. I configured the aad auth provider with the B2B active directory tenant details and added a custom open-id connect provider with the B2C tenant details.

As the JWT tokens do not exposed I wanted to understand how I can receive additional details for the loggedin user like i.e. organization details or name, last name and email from the graph API?

This is the configuration that I'm currently using

"auth": {
    "identityProviders": {
      "azureActiveDirectory": {
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/<B2B_TENANT_ID>/v2.0",
          "clientIdSettingName": "AAD_CLIENT_ID",
          "clientSecretSettingName": "AAD_CLIENT_SECRET"
        }
      },
      "customOpenIdConnectProviders": {
        "aad-b2c": {
          "registration": {
            "clientIdSettingName": "AAD_B2C_CLIENT_ID",
            "clientCredential": {
              "clientSecretSettingName": "AAD_B2C_CLIENT_SECRET"
            },
            "openIdConnectConfiguration": {
              "wellKnownOpenIdConfiguration": "https://<B2C_TENANT_NAME>.b2clogin.com/<B2C_TENANT_NAME>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signup_signin"
            }
          },
          "login": {
            "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "scopes": [
              "openid profile email"
            ],
            "loginParameterNames": []
          }
        }
      }
    }
  }
jon-a-nygaard commented 2 years ago

@GKanitz I am not certain that this will solve your issue, but it looks to me like your login.scopes might be configured incorrectly as a single string, instead of a list of strings. You could try to change it to "scopes": ["openid", "profile", "email"] and see if it helps.

anthonychu commented 2 years ago

We released a feature to programmatically assign roles with a function. Within the function, you have access to the token and claims from the IdP. See the documentation for more details. There's also a tutorial with a sample app.

Currently you can use this function to assign roles. If you'd like to also store claims that you can access in the /.auth/me endpoint or in the user principal in a function app, let us know.