This pull request resolves the laborious and prone to error manual assignment of user groups from Azure AD, which was brought up in Issue #1677. The suggested modifications automate the process of grouping users according to OAuth group claims that Azure AD provides at the time of user login.
Issue:
As it is, the program needs human interaction to assign user groups when it comes to access controls and permission management. This manual procedure takes a long time and is prone to mistakes, which could result in operational inefficiencies and security threats.
Solution:
With the help of this PR, the aim is that Pyramid application's `GroupAwareAuthenticationPolicy' will now be improved to automatically identify groups based on OAuth tokens and associate them with user sessions. With the help of this feature, group assignment is managed precisely and dynamically, reflecting user rights set up in Azure AD.
Changes Made:
Updated GroupAwareAuthenticationPolicy
Enhanced the unauthenticated_userid method to parse the JWT and extract user and group information.
Modified the effective_principals method to dynamically add user-specific and group-specific principals based on the extracted data.
Testing
added comprehensive tests in test_authentication.py to ensure the functionality works as expected under various scenarios:
Valid tokens with correct group claims.
Expired tokens and malformed tokens to test error handling.
Tokens without group claims to ensure fallback behavior remains correct.
Next Steps:
This was for a class project, and definitely a WIP. I'm still a student and still learning so I'm happy to work on this on the side with some guidance as I'm sure there is a lot more work to be done here!
Implement Automatic OAuth Group Assignment
Summary:
This pull request resolves the laborious and prone to error manual assignment of user groups from Azure AD, which was brought up in Issue #1677. The suggested modifications automate the process of grouping users according to OAuth group claims that Azure AD provides at the time of user login.
Issue:
As it is, the program needs human interaction to assign user groups when it comes to access controls and permission management. This manual procedure takes a long time and is prone to mistakes, which could result in operational inefficiencies and security threats.
Solution:
With the help of this PR, the aim is that Pyramid application's `GroupAwareAuthenticationPolicy' will now be improved to automatically identify groups based on OAuth tokens and associate them with user sessions. With the help of this feature, group assignment is managed precisely and dynamically, reflecting user rights set up in Azure AD.
Changes Made:
GroupAwareAuthenticationPolicyunauthenticated_useridmethod to parse the JWT and extract user and group information.effective_principalsmethod to dynamically add user-specific and group-specific principals based on the extracted data.test_authentication.pyto ensure the functionality works as expected under various scenarios:Next Steps:
This was for a class project, and definitely a WIP. I'm still a student and still learning so I'm happy to work on this on the side with some guidance as I'm sure there is a lot more work to be done here!