Open chris-dnv opened 2 years ago
As out of curiosity - do the affected users have any "special" characters in their name? Typically æ or ł (or anything that will serialize as two bytes not one)
I have also an issue to add roles programatically to users. I drilled down to the issue and logging says: Exception: System.AggregateException: One or more errors occurred. (Code: BadRequest Message: /me request is only valid with delegated authentication flow.
So - this worked before, but now, it seems to behave strange.
My GetRoles looks similiar to the one above - with the difference, i'm using GraphServiceClient. This is a major issue, and i tried several things, but nothing worked.
As out of curiosity - do the affected users have any "special" characters in their name? Typically æ or ł (or anything that will serialize as two bytes not one)
A couple of the users with this issue have the same first name: Øystein however not all users that have reported this issue have a name with special characters in Azure AD
Ok - i have solved the issue i had wih it. That must not be related to the above topic. Error Message was correct. I doulbe checked my implementation and figured out, i was using App Credentials to call /me with Graph Client. My fault on this. Sorry to waste your time.
C# = Initialize the GraphServiceClient like so:
var _client = new GraphServiceClient(new TokenAuthenticationProvider(accessToken));
accessToken is in ths case is in the body of the request to GetRoles. It contains UserId and AccessToken, if the Application is registered correctly: https://docs.microsoft.com/en-us/azure/static-web-apps/assign-roles-microsoft-graph
Additional: i found also threads, where a large number of groups can't be handled.
i've opened a case in the Azure Portal as this is still an issue, would really like to get this fixed so that we can use the roles API as per the microsoft docs
Describe the bug
I've configured the Getroles API and custom authentication as per the documentation which works for myself and some of my colleagues however a few colleagues have told me that no matter what browser they use / if they use incognito etc they get 403 forbidden when trying to access my static site. They are a member of the same group that I am which is a generic AD group for our company, I've tried to see in the app insights logs what the issue might be but the logs aren't detailed enough / don't show what role the user has, if any.
To Reproduce the affected users have tried to clear cookies, use different browsers etc to no avail. They have the same group membership as myself.
Expected behavior I expect that these users can login to the site as expected as they should be granted the reader role.
Screenshots If applicable, add screenshots to help explain your problem.
Device info (if applicable):
Additional context Site works fine for a majority of users, is it possible to view the App/API logs to see why the role isn't set for these specific users? EDIT - I just found this issue which looks to be very similar / the same as mine : https://github.com/staticwebdev/roles-function/issues/3 users in our tenant with the issue also have over 100 groups but not everyone with over 100 groups is affected like myself.....